[ { "schema_version": "1.5.0", "id": "CURL-CVE-2026-3784", "aliases": [ "CVE-2026-3784" ], "summary": "wrong proxy connection reuse with credentials", "modified": "2026-03-11T07:49:13.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2026-3784.json", "www": "https://curl.se/docs/CVE-2026-3784.html", "issue": "https://hackerone.com/reports/3584903", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "8.18.0", "severity": "Low" }, "published": "2026-03-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.19.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "5f13a7645e565c5c1a06f3ef86e97afb856fb364"} ] } ], "versions": [ "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Muhamad Arga Reksapati (HackerOne: nobcoder)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a\nserver, even if the new request uses different credentials for the HTTP proxy.\nThe proper behavior is to create or use a separate connection." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2026-1965", "aliases": [ "CVE-2026-1965" ], "summary": "bad reuse of HTTP Negotiate connection", "modified": "2026-03-11T07:49:13.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2026-1965.json", "www": "https://curl.se/docs/CVE-2026-1965.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "8.18.0", "severity": "Medium" }, "published": "2026-03-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "8.19.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e56ae1426cb7a0a4a427cf8d6099a821fdaae428"}, {"fixed": "f1a39f221d57354990e3eeeddc3404aede2aff70"} ] } ], "versions": [ "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Zhicheng Chen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can in some circumstances reuse the wrong connection when asked to do\nan Negotiate-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNegotiate sometimes authenticates *connections* and not *requests*, contrary\nto how HTTP is designed to work.\n\nAn application that allows Negotiate authentication to a server (that responds\nwanting Negotiate) with `user1:password1` and then does another operation to\nthe same server also using Negotiate but with `user2:password2` (while the\nprevious connection is still alive) - the second request wrongly reused the\nsame connection and since it then sees that the Negotiate negotiation is\nalready made, it just sends the request over that connection thinking it uses\nthe user2 credentials when it is in fact still using the connection\nauthenticated for user1...\n\nThe set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.\n\nApplications can disable libcurl's reuse of connections and thus mitigate this\nproblem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API)." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2025-0725", "aliases": [ "CVE-2025-0725" ], "summary": "gzip integer overflow", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2025-0725.json", "www": "https://curl.se/docs/CVE-2025-0725.html", "issue": "https://hackerone.com/reports/2956023", "CWE": { "id": "CWE-680", "desc": "Integer Overflow to Buffer Overflow" }, "award": { "amount": "505", "currency": "USD" }, "last_affected": "8.11.1", "severity": "Low" }, "published": "2025-02-05T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "8.12.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "019c4088cfcca0d2b7c5cc4f52ca5dac0c616089"}, {"fixed": "76f83f0db23846e254d940ec7fe141010077eb88"} ] } ], "versions": [ "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "z2_", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl is asked to perform automatic gzip decompression of\ncontent-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option,\n**using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would\nmake libcurl perform a buffer overflow." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-38546", "aliases": [ "CVE-2023-38546" ], "summary": "cookie injection with none file", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-38546.json", "www": "https://curl.se/docs/CVE-2023-38546.html", "issue": "https://hackerone.com/reports/2148242", "CWE": { "id": "CWE-73", "desc": "External Control of filename or Path" }, "award": { "amount": "540", "currency": "USD" }, "last_affected": "8.3.0", "severity": "Low" }, "published": "2023-10-11T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.1"}, {"fixed": "8.4.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "74d5a6fb3b9a96d9fa51ba90996e94c878ebd151"}, {"fixed": "61275672b46d9abb3285740467b882e22ed75da8"} ] } ], "versions": [ "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1" ] } ], "credits": [ { "name": "w0x42 on hackerone", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "This flaw allows an attacker to intentionally inject cookies into a running\nprogram using libcurl, if the specific series of conditions are met.\n\nlibcurl performs transfers. In its API, an application creates \"easy handles\"\nthat are the individual handles for single transfers.\n\nlibcurl provides a function call that duplicates an easy handle called\n[curl_easy_duphandle](https://curl.se/libcurl/c/curl_easy_duphandle.html).\n\nIf a transfer has cookies enabled when the handle is duplicated, the\ncookie-enable state is also cloned - but without cloning the actual\ncookies. If the source handle did not read any cookies from a specific file on\ndisk, the cloned version of the handle would instead store the filename as\n`none` (using the four ASCII letters, no quotes).\n\nSubsequent use of the cloned handle that does not explicitly set a source to\nload cookies from would then inadvertently load cookies from a file named\n`none` - if such a file exists and is readable in the current directory of the\nprogram using libcurl, when using the correct file format of course." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28322", "aliases": [ "CVE-2023-28322" ], "summary": "more POST-after-PUT confusion", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-28322.json", "www": "https://curl.se/docs/CVE-2023-28322.html", "issue": "https://hackerone.com/reports/1954658", "CWE": { "id": "CWE-440", "desc": "Expected Behavior Violation" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "546572da0457f37c698c02d0a08d90fdfcbeedec"}, {"fixed": "7815647d6582c0a4900be2e1de6c5e61272c496b"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the second\ntransfer.\n\nThe problem exists in the logic for a reused handle when it is (expected to\nbe) changed from a PUT to a POST." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28321", "aliases": [ "CVE-2023-28321" ], "summary": "IDN wildcard match", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-28321.json", "www": "https://curl.se/docs/CVE-2023-28321.html", "issue": "https://hackerone.com/reports/1950627", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.0"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9631fa740708b1890197fad01e25b34b7e8eb80e"}, {"fixed": "199f2d440d8659b42670c1b796220792b01a97bf"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0" ] } ], "credits": [ { "name": "Hiroki Kurosawa", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports matching of wildcard patterns when listed as \"Subject\nAlternative Name\" in TLS server certificates. curl can be built to use its own\nname matching function for TLS rather than one provided by a TLS library. This\nprivate wildcard matching function would match IDN (International Domain Name)\nhosts incorrectly and could as a result accept patterns that otherwise should\nmismatch.\n\nIDN hostnames are converted to puny code before used for certificate\nchecks. Puny coded names always start with `xn--` and should not be allowed to\npattern match, but the wildcard check in curl could still check for `x*`,\nwhich would match even though the IDN name most likely contained nothing even\nresembling an `x`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-28320", "aliases": [ "CVE-2023-28320" ], "summary": "siglongjmp race condition", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2023-28320.json", "www": "https://curl.se/docs/CVE-2023-28320.html", "issue": "https://hackerone.com/reports/1929597", "CWE": { "id": "CWE-662", "desc": "Improper Synchronization" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "8.0.1", "severity": "Low" }, "published": "2023-05-17T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.9.8"}, {"fixed": "8.1.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "3c49b405de4fbf1fd7127f91908261268640e54f"}, {"fixed": "13718030ad4b3209a7583b4f27f683cd3a6fa5f2"} ] } ], "versions": [ "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides several different backends for resolving hostnames, selected\nat build time. If it is built to use the synchronous resolver, it allows name\nresolves to time-out slow operations using `alarm()` and `siglongjmp()`.\n\nWhen doing this, libcurl used a global buffer that was not mutex protected and\na multi-threaded application might therefore crash or otherwise misbehave." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2023-27533", "aliases": [ "CVE-2023-27533" ], "summary": "TELNET option IAC injection", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2023-27533.json", "www": "https://curl.se/docs/CVE-2023-27533.html", "issue": "https://hackerone.com/reports/1891474", "CWE": { "id": "CWE-75", "desc": "Failure to Sanitize Special Elements into a Different Plane" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.88.1", "severity": "Low" }, "published": "2023-03-20T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "8.0.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "538b1e79a6e7b0bb829ab4cecc828d32105d0684"} ] } ], "versions": [ "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports communicating using the TELNET protocol and as a part of this it\noffers users to pass on username and \"telnet options\" for the server\nnegotiation.\n\nDue to lack of proper input scrubbing and without it being the documented\nfunctionality, curl would pass on username and telnet options to the server\nas provided. This could allow users to pass in carefully crafted content that\npass on content or do option negotiation without the application intending to\ndo so. In particular if an application for example allows users to provide the\ndata or parts of the data." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-32221", "aliases": [ "CVE-2022-32221" ], "summary": "POST following PUT confusion", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2022-32221.json", "www": "https://curl.se/docs/CVE-2022-32221.html", "issue": "https://hackerone.com/reports/1704017", "CWE": { "id": "CWE-440", "desc": "Expected Behavior Violation" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.85.0", "severity": "Medium" }, "published": "2022-10-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.86.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "546572da0457f37c698c02d0a08d90fdfcbeedec"}, {"fixed": "a64e3e59938abd7d667e4470a18072a24d7e9de9"} ] } ], "versions": [ "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Robby Simpson", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When doing HTTP(S) transfers, libcurl might erroneously use the read callback\n(`CURLOPT_READFUNCTION`) to ask for data to send, even when the\n`CURLOPT_POSTFIELDS` option has been set, if the same handle previously was\nused to issue a `PUT` request which used that callback.\n\nThis flaw may surprise the application and cause it to misbehave and either\nsend off the wrong data or use memory after free or similar in the subsequent\n`POST` request.\n\nThe problem exists in the logic for a reused handle when it is changed from a\nPUT to a POST." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-35252", "aliases": [ "CVE-2022-35252" ], "summary": "control code in cookie denial of service", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-35252.json", "www": "https://curl.se/docs/CVE-2022-35252.html", "issue": "https://hackerone.com/reports/1613943", "CWE": { "id": "CWE-1286", "desc": "Improper Validation of Syntactic Correctness of Input" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.84.0", "severity": "Low" }, "published": "2022-08-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.85.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8dfc93e573ca740544a2d79ebb0ed786592c65c3"} ] } ], "versions": [ "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Axel Chong", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl retrieves and parses cookies from an HTTP(S) server, it accepts\ncookies using control codes (byte values below 32). When cookies that contain\nsuch control codes are later sent back to an HTTP(S) server, it might make the\nserver return a 400 response. Effectively allowing a \"sister site\" to deny\nservice to siblings." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27776", "aliases": [ "CVE-2022-27776" ], "summary": "Auth/cookie leak on redirect", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27776.json", "www": "https://curl.se/docs/CVE-2022-27776.html", "issue": "https://hackerone.com/reports/1547048", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "480", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Low" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "6e659993952aa5f90f48864be84a1bbb047fc258"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might leak authentication or cookie header data on HTTP redirects to the\nsame host but another port number.\n\nWhen asked to send custom headers or cookies in its HTTP requests, curl sends\nthat set of headers only to the host which name is used in the initial URL, so\nthat redirects to other hosts make curl send the data to those. However, due\nto a flawed check, curl wrongly also sends that same set of headers to the\nhosts that are identical to the first one but use a different port number or\nURL scheme. Contrary to expectation and intention.\n\nSending the same set of headers to a server on a different port number is a\nproblem for applications that pass on custom `Authorization:` or `Cookie:`\nheaders, as those headers often contain privacy sensitive information or data.\n\ncurl and libcurl have options that allow users to opt out from this check, but\nthat is not set by default." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2022-27774", "aliases": [ "CVE-2022-27774" ], "summary": "Credential leak on redirect", "modified": "2023-05-06T00:27:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2022-27774.json", "www": "https://curl.se/docs/CVE-2022-27774.html", "issue": "https://hackerone.com/reports/1543773", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "award": { "amount": "2400", "currency": "USD" }, "last_affected": "7.82.0", "severity": "Medium" }, "published": "2022-04-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.83.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08"} ] } ], "versions": [ "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl follows HTTP(S) redirects when asked to. curl also supports\nauthentication. When a user and password are provided for a URL with a given\nhostname, curl makes an effort to not pass on those credentials to other hosts\nin redirects unless given permission with a special option.\n\nThis \"same host check\" has been flawed all since it was introduced. It does\nnot work on cross protocol redirects and it does not consider different port\nnumbers to be separate hosts. This leads to curl leaking credentials to other\nservers when it follows redirects from auth protected HTTP(S) URLs to other\nprotocols and port numbers. It could also leak the TLS SRP credentials this\nway.\n\nBy default, curl only allows redirects to HTTP(S) and FTP(S), but can be asked\nto allow redirects to all protocols curl supports." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22925", "aliases": [ "CVE-2021-22925" ], "summary": "TELNET stack contents disclosure again", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22925.json", "www": "https://curl.se/docs/CVE-2021-22925.html", "issue": "https://hackerone.com/reports/1223882", "CWE": { "id": "CWE-457", "desc": "Use of Uninitialized Variable" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "894f6ec730597eb243618d33cc84d71add8d6a8a"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Red Hat Product Security", "type": "FINDER" }, { "name": "Red Hat Product Security", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not call and use `sscanf()` correctly when\nparsing the string provided by the application.\n\nThe previous curl security vulnerability\n[CVE-2021-22898](https://curl.se/docs/CVE-2021-22898.html) is almost identical\nto this one but the fix was insufficient so this security vulnerability\nremained." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22924", "aliases": [ "CVE-2021-22924" ], "summary": "Bad connection reuse due to flawed path name checks", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22924.json", "www": "https://curl.se/docs/CVE-2021-22924.html", "issue": "https://hackerone.com/reports/1223565", "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "award": { "amount": "1200", "currency": "USD" }, "last_affected": "7.77.0", "severity": "Medium" }, "published": "2021-07-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.4"}, {"fixed": "7.78.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "89721ff04af70f527baae1368f3b992777bf6526"}, {"fixed": "5ea3145850ebff1dc2b13d17440300a01ca38161"} ] } ], "versions": [ "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps previously used connections in a connection pool for subsequent\ntransfers to reuse, if one of them matches the setup.\n\nDue to errors in the logic, the config matching function did not take 'issuer\ncert' into account and it compared the involved paths *case insensitively*,\nwhich could lead to libcurl reusing wrong connections.\n\nFile paths are, or can be, case sensitive on many systems but not all, and can\neven vary depending on used file systems.\n\nThe comparison also did not include the 'issuer cert' which a transfer can set\nto qualify how to verify the server certificate." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22898", "aliases": [ "CVE-2021-22898" ], "summary": "TELNET stack contents disclosure", "modified": "2023-05-09T13:59:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22898.json", "www": "https://curl.se/docs/CVE-2021-22898.html", "issue": "https://hackerone.com/reports/1176461", "CWE": { "id": "CWE-457", "desc": "Use of Uninitialized Variable" }, "award": { "amount": "1000", "currency": "USD" }, "last_affected": "7.76.1", "severity": "Medium" }, "published": "2021-05-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.77.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4"}, {"fixed": "39ce47f219b09c380b81f89fe54ac586c8db6bde"} ] } ], "versions": [ "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Harry Sintonen", "type": "FINDER" }, { "name": "Harry Sintonen", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`\nin libcurl. This rarely used option is used to send variable=content pairs to\nTELNET servers.\n\nDue to flaw in the option parser for sending `NEW_ENV` variables, libcurl\ncould be made to pass on uninitialized data from a stack based buffer to the\nserver. Therefore potentially revealing sensitive internal information to the\nserver using a clear-text network protocol.\n\nThis could happen because curl did not check the return code from a\n`sscanf(command, \"%127[^,],%127s\")` function invoke correctly, and would leave\nthe piece of the send buffer uninitialized for the value part if it was\nprovided longer than 127 bytes. The buffer used for this is 2048 bytes big and\nthe *variable* part of the *variable=content* pairs would be stored correctly\nin the send buffer, making curl sending \"interleaved\" bytes sequences of stack\ncontents. A single curl TELNET handshake could then be made to send off a\ntotal of around 1800 bytes of (non-contiguous) stack contents in this style:\n\n [control byte]name[control byte]\n stack contents\n [control byte]name[control byte]\n stack contents\n ...\n\nAn easy proof of concept command line looks like this:\n\n curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2021-22876", "aliases": [ "CVE-2021-22876" ], "summary": "Automatic referer leaks credentials", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2021-22876.json", "www": "https://curl.se/docs/CVE-2021-22876.html", "issue": "https://hackerone.com/reports/1101882", "CWE": { "id": "CWE-359", "desc": "Exposure of Private Personal Information to an Unauthorized Actor" }, "award": { "amount": "800", "currency": "USD" }, "last_affected": "7.75.0", "severity": "Low" }, "published": "2021-03-31T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.1.1"}, {"fixed": "7.76.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "f30ffef477636dc10a72eb30590a84a0218e5935"}, {"fixed": "7214288898f5625a6cc196e22a74232eada7861c"} ] } ], "versions": [ "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1" ] } ], "credits": [ { "name": "Viktor Szakats", "type": "FINDER" }, { "name": "Viktor Szakats", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl does not strip off user credentials from the URL when automatically\npopulating the `Referer:` HTTP request header field in outgoing HTTP requests,\nand therefore risks leaking sensitive data to the server that is the target of\nthe second HTTP request.\n\nlibcurl automatically sets the `Referer:` HTTP request header field in\noutgoing HTTP requests if the `CURLOPT_AUTOREFERER` option is set. With the\ncurl tool, it is enabled with `--referer \";auto\"`." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2020-8284", "aliases": [ "CVE-2020-8284" ], "summary": "trusting FTP PASV responses", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2020-8284.json", "www": "https://curl.se/docs/CVE-2020-8284.html", "issue": "https://hackerone.com/reports/1040166", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "award": { "amount": "700", "currency": "USD" }, "last_affected": "7.73.0", "severity": "Low" }, "published": "2020-12-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.74.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "ec9cc725d598ac77de7b6df8afeec292b3c8ad46"} ] } ], "versions": [ "7.73.0", "7.72.0", "7.71.1", "7.71.0", "7.70.0", "7.69.1", "7.69.0", "7.68.0", "7.67.0", "7.66.0", "7.65.3", "7.65.2", "7.65.1", "7.65.0", "7.64.1", "7.64.0", "7.63.0", "7.62.0", "7.61.1", "7.61.0", "7.60.0", "7.59.0", "7.58.0", "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Varnavas Papaioannou", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl performs a passive FTP transfer, it first tries the `EPSV` command\nand if that is not supported, it falls back to using `PASV`. Passive mode is\nwhat curl uses by default.\n\nA server response to a `PASV` command includes the (IPv4) address and port\nnumber for the client to connect back to in order to perform the actual data\ntransfer.\n\nThis is how the FTP protocol is designed to work.\n\nA malicious server can use the `PASV` response to trick curl into connecting\nback to a given IP address and port, and this way potentially make curl\nextract information about services that are otherwise private and not\ndisclosed, for example doing port scanning and service banner extractions.\n\nIf curl operates on a URL provided by a user (which by all means is an unwise\nsetup), a user can exploit that and pass in a URL to a malicious FTP server\ninstance without needing any server breach to perform the attack." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2018-1000007", "aliases": [ "CVE-2018-1000007" ], "summary": "HTTP authentication leak in redirects", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2018-1000007.json", "www": "https://curl.se/docs/CVE-2018-1000007.html", "CWE": { "id": "CWE-522", "desc": "Insufficiently Protected Credentials" }, "last_affected": "7.57.0", "severity": "Low" }, "published": "2018-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.58.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "af32cd3859336ab963591ca0df9b1e33a7ee066b"} ] } ], "versions": [ "7.57.0", "7.56.1", "7.56.0", "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Craig de Stigter", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl might leak authentication data to third parties.\n\nWhen asked to send custom headers in its HTTP requests, curl sends that set of\nheaders first to the host in the initial URL but also, if asked to follow\nredirects and a 30X HTTP response code is returned, to the host mentioned in\nURL in the `Location:` response header value.\n\nSending the same set of headers to subsequent hosts is in particular a problem\nfor applications that pass on custom `Authorization:` headers, as this header\noften contains privacy sensitive information or data that could allow others\nto impersonate the curl-using client's request." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-1000254", "aliases": [ "CVE-2017-1000254" ], "summary": "FTP PWD response parser out of bounds read", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-1000254.json", "www": "https://curl.se/docs/CVE-2017-1000254.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.55.1", "severity": "Medium" }, "published": "2017-10-04T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.56.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "415d2e7cb7dd4f40b7c857f0fba23487dcd030a0"}, {"fixed": "5ff2c5ff25750aba1a8f64fbcad8e5b891512584"} ] } ], "versions": [ "7.55.1", "7.55.0", "7.54.1", "7.54.0", "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Max Dymond", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl may read outside of a heap allocated buffer when doing FTP.\n\nWhen libcurl connects to an FTP server and successfully logs in (anonymous or\nnot), it asks the server for the current directory with the `PWD` command. The\nserver then responds with a 257 response containing the path, inside double\nquotes. The returned path name is then kept by libcurl for subsequent uses.\n\nDue to a flaw in the string parser for this directory name, a directory name\npassed like this but without a closing double quote would lead to libcurl not\nadding a trailing null byte to the buffer holding the name. When libcurl would\nthen later access the string, it could read beyond the allocated heap buffer\nand crash or wrongly access data beyond the buffer, thinking it was part of\nthe path.\n\nA malicious server could abuse this fact and effectively prevent libcurl-based\nclients to work with it - the PWD command is always issued on new FTP\nconnections and the mistake has a high chance of causing a segfault.\n\nThe simple fact that this issue has remained undiscovered for this long could\nsuggest that malformed PWD responses are rare in benign servers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2017-7407", "aliases": [ "CVE-2017-7407" ], "summary": "--write-out out of buffer read", "modified": "2024-12-18T10:24:02.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2017-7407.json", "www": "https://curl.se/docs/CVE-2017-7407.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.53.1", "severity": "Medium" }, "published": "2017-04-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.5"}, {"fixed": "7.54.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "d073ec0a719bfad28b791f1ead089be655b896e9"}, {"fixed": "8e65877870c1fac920b65219adec720df810aab9"} ] } ], "versions": [ "7.53.1", "7.53.0", "7.52.1", "7.52.0", "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5" ] } ], "credits": [ { "name": "Brian Carpenter (Geeknik Labs)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "There were two bugs in curl's parser for the command line option `--write-out`\n(or `-w` for short) that would skip the end of string zero byte if the string\nended in a `%` (percent) or `\\` (backslash), and it would read beyond that\nbuffer in the heap memory and it could then potentially output pieces of that\nmemory to the terminal or the target file etc.\n\nThe curl security team did not report this as a security vulnerability due to\nthe minimal risk: the memory this would output comes from the process the user\nitself invokes and that runs with the same privileges as the user. We could\nnot come up with a likely scenario where this could leak other users' data or\nmemory contents.\n\nAn external party registered this as a CVE with MITRE and we feel a\nresponsibility to clarify what this flaw is about. The CVE-2017-7407 issue is\nspecifically only about the `%` part of this flaw.\n\nThis flaw only exists in the command line tool." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-9586", "aliases": [ "CVE-2016-9586" ], "summary": "printf floating point buffer overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-9586.json", "www": "https://curl.se/docs/CVE-2016-9586.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.51.0", "severity": "Medium" }, "published": "2016-12-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.4"}, {"fixed": "7.52.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "3ab3c16db6a5674f53cf23d56512a405fde0b2c9"} ] } ], "versions": [ "7.51.0", "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4" ] } ], "credits": [ { "name": "Daniel Stenberg", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl's implementation of the printf() functions triggers a buffer overflow\nwhen doing a large floating point output. The bug occurs when the conversion\noutputs more than 255 bytes.\n\nThe flaw happens because the floating point conversion is using system\nfunctions without the correct boundary checks.\n\nThe functions have been documented as deprecated for a long time and users are\ndiscouraged from using them in \"new programs\" as they are planned to get\nremoved at a future point. Since the functions are present and there is\nnothing preventing users from using them, we expect there to be a certain\namount of existing users in the wild.\n\nIf there are any application that accepts a format string from the outside\nwithout necessary input filtering, it could allow remote attacks.\n\nThis flaw does not exist in the command line tool." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8615", "aliases": [ "CVE-2016-8615" ], "summary": "cookie injection for other servers", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8615.json", "www": "https://curl.se/docs/CVE-2016-8615.html", "CWE": { "id": "CWE-187", "desc": "Partial Comparison" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.9"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "cff89bc088b7884098ea0c5378bbda3d49c437bc"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "If cookie state is written into a cookie jar file that is later read back and\nused for subsequent requests, a malicious HTTP server can inject new cookies\nfor arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory, which reads\nthe specified file into a fixed-size buffer in a line-by-line manner using the\n`fgets()` function. If an invocation of `fgets()` cannot read the whole line\ninto the destination buffer due to it being too small, it truncates the\noutput. This way, a long cookie (name + value) sent by a malicious server\nwould be stored in the file and subsequently that cookie could be read\npartially and crafted correctly, it could be treated as a different cookie for\nanother server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8616", "aliases": [ "CVE-2016-8616" ], "summary": "case insensitive password comparison", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8616.json", "www": "https://curl.se/docs/CVE-2016-8616.html", "CWE": { "id": "CWE-178", "desc": "Improper Handling of Case Sensitivity" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.51.0"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When reusing a connection, curl was doing case insensitive comparisons of\nusername and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists for a\nprotocol that has connection-scoped credentials, an attacker can cause that\nconnection to be reused if s/he knows the case-insensitive version of the\ncorrect password." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8617", "aliases": [ "CVE-2016-8617" ], "summary": "OOB write via unchecked multiplication", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8617.json", "www": "https://curl.se/docs/CVE-2016-8617.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.8.1"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "00b00c693127d9e3a4eedce4c8cdf6e87087192d"}, {"fixed": "efd24d57426bd77c9b5860e6b297904703750412"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "In libcurl's base64 encode function, the output buffer is allocated as follows\nwithout any checks on `insize`:\n\n malloc( insize * 4 / 3 + 4 )\n\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if `insize` is at least 1GB of\ndata. If this happens, an undersized output buffer is allocated, but the full\nresult is written, thus causing the memory behind the output buffer to be\noverwritten.\n\nIf a username is set directly via `CURLOPT_USERNAME` (or curl's `-u, --user`\noption), this vulnerability can be triggered. The name has to be at least\n512MB big in a 32-bit system.\n\nSystems with 64-bit versions of the `size_t` type are not affected by this\nissue." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8618", "aliases": [ "CVE-2016-8618" ], "summary": "double free in curl_maprintf", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-8618.json", "www": "https://curl.se/docs/CVE-2016-8618.html", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.4"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8732ec40db652c53fa58cd13e2acb8eab6e40874"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The libcurl API function called `curl_maprintf()` can be tricked into doing a\ndouble free due to an unsafe `size_t` multiplication, on systems using 32-bit\n`size_t` variables. The function is also used internally in numerous\nsituations.\n\nThe function doubles an allocated memory area with realloc() and allows the\nsize to wrap and become zero and when doing so realloc() returns NULL *and*\nfrees the memory - in contrary to normal realloc() fails where it only returns\nNULL - causing libcurl to free the memory *again* in the error path.\n\nSystems with 64-bit versions of the `size_t` type are not affected by this\nissue.\n\nThis behavior can be triggered using the publicly exposed function." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8619", "aliases": [ "CVE-2016-8619" ], "summary": "double free in krb5 code", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8619.json", "www": "https://curl.se/docs/CVE-2016-8619.html", "CWE": { "id": "CWE-415", "desc": "Double Free" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.3"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "def69c30879c0246bccb02d79e06b937e39d0ba4"}, {"fixed": "3d6460edeee21d7d790ec570d0887bed1f4366dd"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "In curl's implementation of the Kerberos authentication mechanism, the\nfunction `read_data()` in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it fails to\nensure that the length parameter passed to realloc() is not set to 0.\n\nThis would lead to realloc() getting called with a zero size and when doing so\nrealloc() returns NULL *and* frees the memory - in contrary to normal\nrealloc() fails where it only returns NULL - causing libcurl to free the\nmemory *again* in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-behaving\nserver." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8623", "aliases": [ "CVE-2016-8623" ], "summary": "Use after free via shared cookies", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-8623.json", "www": "https://curl.se/docs/CVE-2016-8623.html", "CWE": { "id": "CWE-416", "desc": "Use After Free" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.7"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "41ae97e710f728495a1d6adba6476c21b94c4881"}, {"fixed": "c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7" ] } ], "credits": [ { "name": "Cure53", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl explicitly allows users to share cookies between multiple easy handles\nthat are concurrently employed by different threads.\n\nWhen cookies to be sent to a server are collected, the matching function\ncollects all cookies to send and the cookie lock is released immediately\nafterwards. That function however only returns a list with *references* back\nto the original strings for name, value, path and so on. Therefore, if another\nthread quickly takes the lock and frees one of the original cookie structs\ntogether with its strings, a use after free can occur and lead to information\ndisclosure. Another thread can also replace the contents of the cookies from\nseparate HTTP responses or API calls." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8624", "aliases": [ "CVE-2016-8624" ], "summary": "invalid URL parsing with '#'", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8624.json", "www": "https://curl.se/docs/CVE-2016-8624.html", "CWE": { "id": "CWE-172", "desc": "Encoding Error" }, "last_affected": "7.50.3", "severity": "Medium" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "3bb273db7e40ebc284cff45f3ce3f0475c8339c2"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Fernando Muñoz", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl does not parse the authority component of the URL correctly when the host\nname part ends with a hash (`#`) character, and could instead be tricked into\nconnecting to a different host. This may have security implications if you for\nexample use a URL parser that follows the RFC to check for allowed domains\nbefore using curl to request them.\n\nPassing in `http://example.com#@evil.com/x.txt` would wrongly make curl send a\nrequest to evil.com while your browser would connect to example.com given the\nsame URL.\n\nThe problem exists for most protocol schemes." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-8625", "aliases": [ "CVE-2016-8625" ], "summary": "IDNA 2003 makes curl use wrong host", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-8625.json", "www": "https://curl.se/docs/CVE-2016-8625.html", "CWE": { "id": "CWE-838", "desc": "Inappropriate Encoding for Output Context" }, "last_affected": "7.50.3", "severity": "High" }, "published": "2016-11-02T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.12.0"}, {"fixed": "7.51.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "9631fa740708b1890197fad01e25b34b7e8eb80e"}, {"fixed": "9c91ec778104ae3b744b39444d544e82d5ee9ece"} ] } ], "versions": [ "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0" ] } ], "credits": [ { "name": "Christian Heimes", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When curl is built with libidn to handle International Domain Names (IDNA), it\ntranslates them to puny code for DNS resolving using the IDNA 2003 standard,\nwhile IDNA 2008 is the modern and up-to-date IDNA standard.\n\nThis misalignment causes problems with for example domains using the German ß\ncharacter (known as the Unicode Character `LATIN SMALL LETTER SHARP S`) which\nis used at times in the `.de` TLD and is translated differently in the two\nIDNA standards, leading to users potentially and unknowingly issuing network\ntransfer requests to the wrong host.\n\nFor example, `straße.de` is translated into `strasse.de` using IDNA 2003 but\nis translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those\nhostnames could well resolve to different addresses and be two completely\nindependent servers. IDNA 2008 is mandatory for `.de` domains.\n\ncurl is not alone with this problem, as there is currently a big flux in the\nworld of network user-agents about which IDNA version to support and use.\n\nThis name problem exists for DNS-using protocols in curl, but only when built\nto use libidn." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-7167", "aliases": [ "CVE-2016-7167" ], "summary": "curl escape and unescape integer overflows", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2016-7167.json", "www": "https://curl.se/docs/CVE-2016-7167.html", "CWE": { "id": "CWE-131", "desc": "Incorrect Calculation of Buffer Size" }, "last_affected": "7.50.2", "severity": "Medium" }, "published": "2016-09-14T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.1"}, {"fixed": "7.50.3"} ] } ], "versions": [ "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1" ] } ], "credits": [ { "name": "the Mitre CVE Assignment Team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "The four libcurl functions `curl_escape()`, `curl_easy_escape()`,\n`curl_unescape` and `curl_easy_unescape` perform string URL percent escaping\nand unescaping. They accept custom string length inputs in signed integer\narguments. (The functions having names without \"easy\" being the deprecated\nversions of the others.)\n\nThe provided string length arguments were not properly checked and due to\narithmetic in the functions, passing in the length `0xffffffff` (2^32-1 or\n`UINT_MAX` or even just -1) would end up causing an allocation of zero bytes\nof heap memory that curl would attempt to write gigabytes of data into.\n\nThe use of 'int' for this input type in the API is of course unwise but has\nremained so in order to maintain the API over the years." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-5419", "aliases": [ "CVE-2016-5419" ], "summary": "TLS session resumption client cert bypass", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-5419.json", "www": "https://curl.se/docs/CVE-2016-5419.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.50.0", "severity": "High" }, "published": "2016-08-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.0"}, {"fixed": "7.50.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "247d890da88f9ee817079e246c59f3d7d12fde5f"} ] } ], "versions": [ "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0" ] } ], "credits": [ { "name": "Bru Rom", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Eric Rescorla", "type": "OTHER" }, { "name": "Ray Satiro", "type": "OTHER" } ], "details": "libcurl would attempt to resume a TLS session even if the client certificate\nhad changed. That is unacceptable since a server by specification is allowed\nto skip the client certificate check on resume, and may instead use the old\nidentity which was established by the previous certificate (or no\ncertificate).\n\nlibcurl supports by default the use of TLS session id/ticket to resume\nprevious TLS sessions to speed up subsequent TLS handshakes. They are used\nwhen for any reason an existing TLS connection could not be kept alive to make\nthe next handshake faster." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-5420", "aliases": [ "CVE-2016-5420" ], "summary": "Reusing connections with wrong client cert", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-5420.json", "www": "https://curl.se/docs/CVE-2016-5420.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.50.0", "severity": "Medium" }, "published": "2016-08-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.50.1"} ] } ], "versions": [ "7.50.0", "7.49.1", "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "the curl security team", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl did not consider client certificates when reusing TLS connections.\n\nlibcurl supports reuse of established connections for subsequent requests. It\ndoes this by keeping a few previous connections \"alive\" in a connection pool\nso that a subsequent request that can use one of them instead of creating a\nnew connection.\n\nWhen using a client certificate for a connection that was then put into the\nconnection pool, that connection could then wrongly get reused in a subsequent\nrequest to that same server that either did not use a client certificate at\nall or that asked to use a different client certificate thus trying to tell\nthe user that it is a different entity.\n\nThis mistakenly using the wrong connection could of course lead to\napplications sending requests to the wrong realms of the server using\nauthentication that it was not supposed to have for those operations." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-4802", "aliases": [ "CVE-2016-4802" ], "summary": "Windows DLL hijacking", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-4802.json", "www": "https://curl.se/docs/CVE-2016-4802.html", "CWE": { "id": "CWE-94", "desc": "Improper Control of Generation of Code ('Code Injection')" }, "last_affected": "7.49.0", "severity": "High" }, "published": "2016-05-30T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.1"}, {"fixed": "7.49.1"} ] } ], "versions": [ "7.49.0", "7.48.0", "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1" ] } ], "credits": [ { "name": "Guohui from Huawei WeiRan Labs", "type": "FINDER" }, { "name": "Steve Holme", "type": "REMEDIATION_DEVELOPER" }, { "name": "Stefan Kanthak", "type": "OTHER" }, { "name": "Jay Satiro", "type": "OTHER" } ], "details": "libcurl would load Windows system DLLs in a manner that may make it vulnerable\nto a DLL hijacking (aka binary planting) attack in certain configurations.\n\nlibcurl has a unified code base that builds and runs on a multitude of\ndifferent versions of Windows. To make that possible, when libcurl is built\nwith SSPI or telnet is used, it dynamically loads some of the necessary system\nDLLs at runtime by calling `LoadLibrary()`. No path is specified for these\nDLLs.\n\nTo find a DLL when no path is specified `LoadLibrary()` follows [DLL search\norder](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682586.aspx#search_order_for_desktop_applications)\nto load it. If it is a \"known DLL\" no searching is done, the system copy is\nused. If it is not a \"known DLL\": The application directory is searched first.\nThe current directory is searched next, if DLL safe search mode is not\nenabled. The system directory is searched next.\n\nThe 3 system DLLs libcurl loads dynamically are `security.dll`, `secur32.dll`\nand `ws2_32.dll` (a \"known DLL\" when installed). These DLLs may not be present\non some versions of Windows, which is why they are loaded\ndynamically. Depending on a number of factors outlined in the DLL search order\ndocument it may be possible for an attacker to plant a DLL of the same name in\nthe user's current directory, application directory or other directory in the\nDLL search order, thereby possibly causing it to be loaded first.\n\n**Recent versions of Windows include all 3 of those dynamically loaded system\nDLLs and also enable safe DLL search mode by default. Therefore in such a case\n`ws2_32.dll` could not be planted, and `security.dll` or `secur32.dll` could\nonly be planted in the application directory.**\n\nTo address this issue we have changed libcurl so that any system DLL it\ndynamically loads in Windows is done in the most secure way available.\n\nNote if an attacker has the ability to write new files to your application\ndirectory they can likely still plant DLLs to be loaded in any case, load-time\nor runtime. This is by design in Windows DLL loading (refer the the DLL\nsearch order doc). For example it may be possible to override DLL search paths\nby planting an app.exe.local file or possibly a fake manifest. There is\nnothing we can do to prevent against this. We advise you to guard write\npermissions on your application directory.\n\n**Also note it is may still be possible for planting attacks to be done\nagainst load-time DLLs used by libcurl and the curl tool. This is because\nWindows loads those DLLs and their dependencies without specifying a\npath. There is nothing we can do to fix this, it is endemic in the design of\nWindows. We advise you to guard write permissions on your application\ndirectory.**" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-0754", "aliases": [ "CVE-2016-0754" ], "summary": "remote filename path traversal in curl tool for Windows", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "tool", "URL": "https://curl.se/docs/CVE-2016-0754.json", "www": "https://curl.se/docs/CVE-2016-0754.html", "CWE": { "id": "CWE-22", "desc": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "last_affected": "7.46.0", "severity": "High" }, "published": "2016-01-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.47.0"} ] } ], "versions": [ "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Ray Satiro (Jay)", "type": "FINDER" }, { "name": "Ray Satiro (Jay)", "type": "REMEDIATION_DEVELOPER" } ], "details": "curl does not sanitize colons in a remote filename that is used as the local\nfilename. This may lead to a vulnerability on systems where the colon is a\nspecial path character. Currently Windows is the only OS where this\nvulnerability applies.\n\ncurl offers command line options --remote-name (also usable as `-O`) and\n`--remote-header-name` (also usable as `-J`). When both of those options are\nused together (-OJ) and the server provides a remote filename for the content,\ncurl writes its output to that server-provided filename, as long as that file\ndoes not already exist. If it does exist curl fails to write.\n\nIf both options are used together (`-OJ`) but the server does not provide a\nremote filename, or if `-O` is used without `-J`, curl writes output to a\nfilename based solely on the remote filename in the URL string provided by the\nuser, regardless of whether or not that file already exists.\n\nIn either case curl does not sanitize colons in the filename. As a result in\nWindows it is possible and unintended behavior for curl to write to a file in\nthe working directory of a drive that is not the current drive (i.e. outside\nthe current working directory), and also possible to write to a file's\nalternate data stream.\n\nFor example if curl `-OJ` and the server sends filename=f:foo curl incorrectly\nwrites foo to the working directory for drive F even if drive F is not the\ncurrent drive. For a more detailed explanation see the 'MORE BACKGROUND AND\nEXAMPLE' section towards the end of this advisory.\n\nThough no known exploit is available for this issue at the time of the\npublication, writing one would be undemanding and could be serious depending\non the name of the file and where it ends up being written." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2016-0755", "aliases": [ "CVE-2016-0755" ], "summary": "NTLM credentials not-checked for proxy connection reuse", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2016-0755.json", "www": "https://curl.se/docs/CVE-2016-0755.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.46.0", "severity": "Medium" }, "published": "2016-01-27T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.7"}, {"fixed": "7.47.0"} ] } ], "versions": [ "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7" ] } ], "credits": [ { "name": "Isaac Boukris", "type": "FINDER" }, { "name": "Isaac Boukris", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl reuses NTLM-authenticated proxy connections without properly making\nsure that the connection was authenticated with the same credentials as set\nfor this transfer.\n\nlibcurl maintains a pool of connections after a transfer has completed. The\npool of connections is then gone through when a new transfer is requested and\nif there is a live connection available that can be reused, it is preferred\ninstead of creating a new one.\n\nSince NTLM-based authentication is *connection oriented* instead of *request\noriented* as other HTTP based authentication, it is important that only\nconnections that have been authenticated with the correct username + password\nare reused. This was done properly for server connections already, but libcurl\nfailed to do it properly for proxy connections using NTLM.\n\nA libcurl application can easily switch user credentials used for a proxy\nconnection between two requests, and that subsequent transfer then MUST make\nlibcurl use another connection. libcurl previously failed to do so.\n\nThe effects of this flaw, is that the application could be reusing a proxy\nconnection using the previously used credentials and thus it could be given to\nor prevented access from resources that it was not intended to.\n\nThis problem is similar to\n[CVE-2014-0015](https://curl.se/docs/CVE-2014-0015.html), which was for\ndirect server connections while this is for proxy connections." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3153", "aliases": [ "CVE-2015-3153" ], "summary": "sensitive HTTP server headers also sent to proxies", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3153.json", "www": "https://curl.se/docs/CVE-2015-3153.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.42.0", "severity": "High" }, "published": "2015-04-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.42.1"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "6ba2e88a642434bd0ffa95465e4a7d034d03ea10"} ] } ], "versions": [ "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Yehezkel Horowitz", "type": "FINDER" }, { "name": "Oren Souroujon", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl provides applications a way to set custom HTTP headers to be sent to\nthe server by using `CURLOPT_HTTPHEADER`. A similar option is available for\nthe curl command-line tool with the '--header' option.\n\nWhen the connection passes through an HTTP proxy the same set of headers is\nsent to the proxy as well by default. While this is by design, it has not\nnecessarily been clear nor understood by application programmers.\n\nSuch tunneling over a proxy is done for example when using the HTTPS protocol\n- or when explicitly asked for. In this case, the initial connection to the\nproxy is made in clear including any custom headers using the HTTP CONNECT\nmethod.\n\nWhile libcurl provides the `CURLOPT_HEADEROPT` option to allow applications to\ntell libcurl if the headers should be sent to host and the proxy or use\nseparate lists to the different destinations, it has still defaulted to\nsending the same headers to both parties for the sake of compatibility.\n\nIf the application sets a custom HTTP header with sensitive content (e.g.,\nauthentication cookies) without changing the default, the proxy, and anyone\nwho listens to the traffic between the application and the proxy, might get\naccess to those values.\n\nNote: this problem does not exist when using the `CURLOPT_COOKIE` option (or\nthe `--cookie` option) or the HTTP auth options, which are always sent only to\nthe destination server." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3148", "aliases": [ "CVE-2015-3148" ], "summary": "Negotiate not treated as connection-oriented", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3148.json", "www": "https://curl.se/docs/CVE-2015-3148.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.41.0", "severity": "Medium" }, "published": "2015-04-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.42.0"} ] } ], "versions": [ "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Isaac Boukris", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps a pool of its last few connections around after use to\nfacilitate easy, convenient and completely transparent connection reuse for\napplications.\n\nWhen doing HTTP requests Negotiate authenticated, the entire connection may\nbecome authenticated and not just the specific HTTP request which is otherwise\nhow HTTP works, as Negotiate can basically use NTLM under the hood. curl was\nnot adhering to this fact but would assume that such requests would also be\nauthenticated per request.\n\nThe net effect is that libcurl may end up reusing an authenticated Negotiate\nconnection and sending subsequent requests on it using new credentials, while\nthe connection remains authenticated with a previous initial credentials\nsetup." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2015-3143", "aliases": [ "CVE-2015-3143" ], "summary": "Reusing authenticated connection when unauthenticated", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2015-3143.json", "www": "https://curl.se/docs/CVE-2015-3143.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.41.0", "severity": "Medium" }, "published": "2015-04-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.42.0"} ] } ], "versions": [ "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Paras Sethia", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl keeps a pool of its last few connections around after use to\nfacilitate easy, convenient and completely transparent connection reuse for\napplications.\n\nWhen doing HTTP requests NTLM authenticated, the entire connection becomes\nauthenticated and not just the specific HTTP request which is otherwise how\nHTTP works. This makes NTLM special and a subject for special treatment in the\ncode. With NTLM, once the connection is authenticated, no further\nauthentication is necessary until the connection gets closed.\n\nlibcurl's connection reuse logic selects an existing connection for reuse\nwhen asked to do a request, and when asked to use NTLM libcurl have to pick a\nconnection with matching credentials only.\n\nIf a connection was first setup and used for an NTLM HTTP request with a\nspecific set of credentials, that same connection could later wrongly get\nreused in a subsequent HTTP request that was made to the same host - but\nwithout having any credentials set! Since an NTLM connection was already\nauthenticated due to how NTLM works, the subsequent request could then get\nsent over the wrong connection appearing as the initial user.\n\nThis problem is similar to the previous problem known as\n[CVE-2014-0015](https://curl.se/docs/CVE-2014-0015.html). The main difference\nthis time is that the subsequent request that wrongly reuse a connection does\nnot ask for NTLM authentication." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-8150", "aliases": [ "CVE-2014-8150" ], "summary": "URL request injection", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-8150.json", "www": "https://curl.se/docs/CVE-2014-8150.html", "CWE": { "id": "CWE-444", "desc": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')" }, "last_affected": "7.39.0", "severity": "High" }, "published": "2015-01-08T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "6.0"}, {"fixed": "7.40.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "178bd7db34f77e020fb8562890c5625ccbd67093"} ] } ], "versions": [ "7.39.0", "7.38.0", "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0" ] } ], "credits": [ { "name": "Andrey Labunets (Facebook)", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When libcurl sends a request to a server via an HTTP proxy, it copies the\nentire URL into the request and sends if off.\n\nIf the given URL contains line feeds and carriage returns those are sent along\nto the proxy too, which allows the program to for example send a separate HTTP\nrequest injected embedded in the URL.\n\nMany programs allow some kind of external sources to set the URL or provide\npartial pieces for the URL to ask for, and if the URL as received from the\nuser is not stripped good enough this flaw allows malicious users to do\nadditional requests in a way that was not intended, or just to insert request\nheaders into the request that the program did not intend." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-3613", "aliases": [ "CVE-2014-3613" ], "summary": "cookie leak with IP address as domain", "modified": "2024-02-08T00:03:48.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-3613.json", "www": "https://curl.se/docs/CVE-2014-3613.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.37.1", "severity": "Medium" }, "published": "2014-09-10T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.0"}, {"fixed": "7.38.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "8a75dbeb2305297640453029b7905ef51b87e8dd"} ] } ], "versions": [ "7.37.1", "7.37.0", "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7", "4.6", "4.5.1", "4.5", "4.4", "4.3", "4.2", "4.1", "4.0" ] } ], "credits": [ { "name": "Tim Ruehsen", "type": "FINDER" }, { "name": "Tim Ruehsen", "type": "REMEDIATION_DEVELOPER" } ], "details": "By not detecting and rejecting domain names for partial literal IP addresses\nproperly when parsing received HTTP cookies, libcurl can be fooled to both\nsending cookies to wrong sites and into allowing arbitrary sites to set\ncookies for others.\n\nFor this problem to trigger, the client application must use the numerical\nIP address in the URL to access the site and the site must send back cookies\nto the site using domain= and a partial IP address.\n\nSince libcurl wrongly approaches the IP address like it was a normal domain\nname, a site at IP address `192.168.0.1` can set cookies for anything ending\nwith `.168.0.1` thus fooling libcurl to send them also to for example\n`129.168.0.1`.\n\nThe flaw requires dots to be present in the IP address, which restricts the\nflaw to IPv4 literal addresses or IPv6 addresses using the somewhat unusual\n\"dotted-quad\" style: `::ffff:192.0.2.128`.\n\nThis is not believed to be done by typical sites as this is not supported by\nclients that adhere to the rules of the RFC 6265, and many sites are written\nto explicitly use their own specific named domain when sending cookies." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-0139", "aliases": [ "CVE-2014-0139" ], "summary": "IP address wildcard certificate validation", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-0139.json", "www": "https://curl.se/docs/CVE-2014-0139.html", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.35.0", "severity": "Medium" }, "published": "2014-03-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.3"}, {"fixed": "7.36.0"} ] } ], "versions": [ "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3" ] } ], "credits": [ { "name": "Richard Moore", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl incorrectly validates wildcard SSL certificates containing literal\nIP addresses.\n\nRFC 2818 covers the requirements for matching Common Names (CNs) and\nsubjectAltNames in order to establish valid SSL connections. It first\ndiscusses CNs that are for hostnames, and the rules for wildcards in this\ncase. The next paragraph in the RFC then discusses CNs that are IP addresses:\n\n'In some cases, the URI is specified as an IP address rather than a\nhostname. In this case, the `iPAddress` subjectAltName must be present in the\ncertificate and must exactly match the IP in the URI.'\n\nThe intention of the RFC is clear in that you should not be able to use\nwildcards with IP addresses (in order to avoid the ability to perform\nman-in-the-middle attacks). Unfortunately libcurl fails to adhere to this\nrule under certain conditions, and subsequently it would allow and use a\nwildcard match specified in the CN field.\n\nExploiting this flaw, a malicious server could participate in a MITM attack or\njust easier fool users that it is a legitimate site for whatever purpose, when\nit actually is not.\n\nA good CA should refuse to issue a certificate with the CN as indicated,\nhowever there only need be one CA to issue one in error for this issue to\nresult in the user getting no warning at all and being vulnerable to MITM.\n\nThis flaw is only present in libcurl when built to use one out of a few\nspecific TLS libraries: OpenSSL, axTLS, qsossl or gskit.\n\nThis problem is similar to one previously reported by Richard Moore, found in\nmultiple browsers." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-0138", "aliases": [ "CVE-2014-0138" ], "summary": "wrong reuse of connections", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-0138.json", "www": "https://curl.se/docs/CVE-2014-0138.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.35.0", "severity": "Medium" }, "published": "2014-03-26T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.36.0"} ] } ], "versions": [ "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Steve Holme", "type": "FINDER" }, { "name": "Steve Holme", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl can in some circumstances reuse the wrong connection when asked to\ndo transfers using other protocols than HTTP and FTP.\n\nlibcurl features a pool of recent connections so that subsequent requests\ncan reuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to an\nerror in the code, a transfer that was initiated by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. The existing logic basically only\nworked well enough for HTTP and FTP, while all other network protocols were\nsilently, but erroneously, assumed to work like HTTP. Basically, protocols\nthat use connection oriented authentication need a new connection when new\ncredentials are used.\n\nAffected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and\nLDAP(S).\n\nApplications can disable libcurl's reuse of connections and thus mitigate\nthis problem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API).\n\n(This problem is similar to a problem previously reported to NTLM HTTP\nconnections, named [CVE-2014-0015](CVE-2014-0015.html))" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2014-0015", "aliases": [ "CVE-2014-0015" ], "summary": "reuse of wrong HTTP NTLM connection", "modified": "2025-09-27T10:58:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2014-0015.json", "www": "https://curl.se/docs/CVE-2014-0015.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.34.0", "severity": "Medium" }, "published": "2014-01-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.35.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "73c5f24fa40460f41d6cd9114827383edc57e287"}, {"fixed": "8ae35102c43d8d06572c3a1292eb6e27e663c78d"} ] } ], "versions": [ "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Paras Sethia", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Yehezkel Horowitz", "type": "OTHER" } ], "details": "libcurl can in some circumstances reuse the wrong connection when asked to\ndo an NTLM-authenticated HTTP or HTTPS request.\n\nlibcurl features a pool of recent connections so that subsequent requests\ncan reuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criterion must first be met. Due to a\nlogical error in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials. One underlying reason being that\nNTLM authenticates connections and not requests, contrary to how HTTP is\ndesigned to work and how other authentication methods work.\n\nAn application that allows NTLM and another auth method (the bug only triggers\nif more than one auth method is asked for) to a server (that responds wanting\nNTLM) with user1:password1 and then does another operation to the same server\nwith user2:password2 (when the previous connection was left alive) - the\nsecond request reuses the same connection and since it then sees that the\nNTLM negotiation is already made, it just sends the request over that\nconnection thinking it uses the user2 credentials when it is in fact still\nusing the connection authenticated for user1...\n\nThe set of auth methods to use is set with `CURLOPT_HTTPAUTH`.\n\nTwo common auth defines in libcurl are `CURLAUTH_ANY` and `CURLAUTH_ANYSAFE`.\nBoth of them ask for NTLM and other methods and can therefore trigger this\nproblem.\n\nApplications can disable libcurl's reuse of connections and thus mitigate\nthis problem, by using one of the following libcurl options to alter how\nconnections are or are not reused: `CURLOPT_FRESH_CONNECT`,\n`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the\ncurl_multi API)." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-2174", "aliases": [ "CVE-2013-2174" ], "summary": "URL decode buffer boundary flaw", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2013-2174.json", "www": "https://curl.se/docs/CVE-2013-2174.html", "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "last_affected": "7.30.0", "severity": "High" }, "published": "2013-06-22T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.7"}, {"fixed": "7.31.0"} ] } ], "versions": [ "7.30.0", "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7" ] } ], "credits": [ { "name": "Timo Sirainen", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a case of bad checking of the input data which may\n lead to heap corruption.\n\n The function curl_easy_unescape() decodes URL encoded strings to raw binary\n data. URL encoded octets are represented with %HH combinations where HH is a\n two-digit hexadecimal number. The decoded string is written to an allocated\n memory area that the function returns to the caller.\n\n The function takes a source string and a length parameter, and if the length\n provided is 0 the function instead uses strlen() to figure out how much data\n to parse.\n\n The \"%HH\" parser wrongly only considered the case where a zero byte would\n terminate the input. If a length-limited buffer was passed in which ended\n with a '%' character which was followed by two hexadecimal digits outside of\n the buffer libcurl was allowed to parse alas without a terminating zero,\n libcurl would still parse that sequence as well. The counter for remaining\n data to handle would then be decreased too much and wrap to become\n a large integer and the copying would go on too long and the destination\n buffer that is allocated on the heap would get overwritten.\n\n We consider it unlikely that programs allow user-provided strings unfiltered\n into this function. Also, only the not zero-terminated input string use case\n is affected by this flaw. Exploiting this flaw for gain is probably possible\n for specific circumstances but we consider the general risk for this to be\n low.\n\n The curl command line tool is not affected by this problem as it does not\n use this function." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2013-1944", "aliases": [ "CVE-2013-1944" ], "summary": "cookie domain tailmatch", "modified": "2025-05-15T17:48:29.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2013-1944.json", "www": "https://curl.se/docs/CVE-2013-1944.html", "CWE": { "id": "CWE-201", "desc": "Information Exposure Through Sent Data" }, "last_affected": "7.29.0", "severity": "High" }, "published": "2013-04-12T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "4.7"}, {"fixed": "7.30.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "2eb8dcf26cb37f09cffe26909a646e702dbcab66"} ] } ], "versions": [ "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9", "4.8.4", "4.8.3", "4.8.2", "4.8.1", "4.8", "4.7" ] } ], "credits": [ { "name": "YAMADA Yasuharu", "type": "FINDER" }, { "name": "YAMADA Yasuharu", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl is vulnerable to a cookie leak vulnerability when doing requests\n across domains with matching tails.\n\n When communicating over HTTP(S) and having libcurl's cookie engine enabled,\n libcurl stores and holds cookies for use when subsequent requests are done\n to hosts and paths that match those kept cookies. Due to a bug in the\n tailmatching function, libcurl could wrongly send cookies meant for the\n domain 'ample.com' when communicating with 'example.com'.\n\n This vulnerability can be used to hijack sessions in targeted attacks since\n registering domains using a known domain's name as an ending is trivial.\n\n Both curl the command line tool and applications using the libcurl library\n are vulnerable." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2011-3389", "aliases": [ "CVE-2011-3389" ], "summary": "SSL CBC IV vulnerability", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2011-3389.json", "www": "https://curl.se/docs/CVE-2011-3389.html", "CWE": { "id": "CWE-924", "desc": "Improper Enforcement of Message Integrity During Transmission in a Communication Channel" }, "last_affected": "7.23.1", "severity": "High" }, "published": "2012-01-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.24.0"} ] } ], "versions": [ "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "product-security at Apple", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Yang Tse", "type": "OTHER" } ], "details": "curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for\nthe SSL/TLS layer.\n\nThis vulnerability has been identified (CVE-2011-3389 aka the \"BEAST\" attack)\nand is addressed by OpenSSL already as they have made a work-around to\nmitigate the problem. When doing so, they figured out that some servers did\nnot work with the work-around and offered a way to disable it.\n\nThe bit used to disable the workaround was then added to the generic\n`SSL_OP_ALL` bitmask that SSL clients may use to enable workarounds for better\ncompatibility with servers. libcurl uses the SSL_OP_ALL bitmask.\n\nWhile `SSL_OP_ALL` is documented to enable \"rather harmless\" workarounds, it\ndoes in this case effectively enable this security vulnerability again." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2011-2192", "aliases": [ "CVE-2011-2192" ], "summary": "inappropriate GSSAPI delegation", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2011-2192.json", "www": "https://curl.se/docs/CVE-2011-2192.html", "CWE": { "id": "CWE-281", "desc": "Improper Preservation of Permissions" }, "last_affected": "7.21.6", "severity": "Medium" }, "published": "2011-06-23T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.21.7"} ] } ], "versions": [ "7.21.6", "7.21.5", "7.21.4", "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "Richard Silverman", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Dan Fandrich", "type": "OTHER" }, { "name": "Julien Chaffraix", "type": "OTHER" } ], "details": "When doing GSSAPI authentication, libcurl unconditionally performs\ncredential delegation. This hands the server a copy of the client's security\ncredentials, allowing the server to impersonate the client to any other\nusing the same GSSAPI mechanism. This is obviously a sensitive operation,\nwhich should only be done when the user explicitly so directs.\n\nThe GSS/Negotiate feature is only used by libcurl for HTTP authentication if\ntold to, and only if libcurl was built with a library that provides the\nGSSAPI. Many builds of libcurl do not have GSS enabled." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2010-0734", "aliases": [ "CVE-2010-0734" ], "summary": "data callback excessive length", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2010-0734.json", "www": "https://curl.se/docs/CVE-2010-0734.html", "CWE": { "id": "CWE-628", "desc": "Function Call with Incorrectly Specified Arguments" }, "last_affected": "7.19.7", "severity": "High" }, "published": "2010-02-09T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.5"}, {"fixed": "7.20.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "c95814c04d6a0436e5c4c88d2e1d57c7e0c91060"}, {"fixed": "06ae8ca5a6e452e5cb555c1a511a9df8dec6657c"} ] } ], "versions": [ "7.19.7", "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5" ] } ], "credits": [ { "name": "Wesley Miaw", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When downloading data, libcurl hands it over to the application using a\ncallback that is registered by the client software. libcurl then calls that\nfunction repeatedly with data until the transfer is complete. The callback is\ndocumented to receive a maximum data size of 16K (`CURL_MAX_WRITE_SIZE`).\n\nUsing the affected libcurl version to download compressed content over HTTP,\nan application can ask libcurl to automatically uncompress data. When doing\nso, libcurl can wrongly send data up to 64K in size to the callback which\nthus is much larger than the documented maximum size. An application that\nblindly trusts libcurl's max limit for a fixed buffer size or similar is\nthen a possible target for a buffer overflow vulnerability.\n\nThis error is only present in zlib-enabled builds of libcurl and only if\nautomatic decompression has been explicitly enabled by the application - it\nis disabled by default.\n\nWe have not found any libcurl client software that is vulnerable to this\nflaw - but we acknowledge that there may still be vulnerable software in\nexistence." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2009-2417", "aliases": [ "CVE-2009-2417" ], "summary": "embedded zero in cert name", "modified": "2025-11-12T00:50:45.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2009-2417.json", "www": "https://curl.se/docs/CVE-2009-2417.html", "CWE": { "id": "CWE-170", "desc": "Improper Null Termination" }, "last_affected": "7.19.5", "severity": "High" }, "published": "2009-08-12T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.4"}, {"fixed": "7.19.6"} ] } ], "versions": [ "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4" ] } ], "credits": [ { "name": "Scott Cantor", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Peter Sylvester", "type": "OTHER" }, { "name": "Michal Marek", "type": "OTHER" }, { "name": "Kamil Dudka", "type": "OTHER" } ], "details": "SSL and TLS Server certificates contain one or more fields with server name\nor otherwise matching patterns. These strings are stored as content and\nlength within the certificate, and thus there is no particular terminating\ncharacter.\n\ncurl's OpenSSL interfacing code did faulty assumptions about those names and\npatterns being zero terminated, allowing itself to be fooled in case a\ncertificate would get a zero byte embedded into one of the name fields. To\nillustrate, a name that would show this vulnerability could look like:\n\n \"example.com\\0.haxx.se\"\n\nThis cert is thus made for \"haxx.se\" but curl would erroneously verify it\nwith no complaints for \"example.com\".\n\nAccording to a recently published presentation, this kind of zero embedding\nhas been proven to be possible with at least one CA." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2009-0037", "aliases": [ "CVE-2009-0037" ], "summary": "Arbitrary File Access", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2009-0037.json", "www": "https://curl.se/docs/CVE-2009-0037.html", "CWE": { "id": "CWE-142", "desc": "Improper Neutralization of Value Delimiters" }, "last_affected": "7.19.3", "severity": "Medium" }, "published": "2009-03-03T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "5.11"}, {"fixed": "7.19.4"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"}, {"fixed": "042cc1f69ec0878f542667cb684378869f859911"} ] } ], "versions": [ "7.19.3", "7.19.2", "7.19.1", "7.19.0", "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", "6.3", "6.2", "6.1", "6.0", "5.11" ] } ], "credits": [ { "name": "David Kierznowski", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "When told to follow a \"redirect\" automatically, libcurl does not question the\nnew target URL but follows it to any new URL that it understands. As libcurl\nsupports FILE:// URLs, a rogue server can thus \"trick\" a libcurl-using\napplication to read a local file instead of the remote one.\n\nThis is a problem, for example, when the application is running on a server\nand is written to upload or to otherwise provide the transferred data to a\nuser, to another server or to another application etc, as it can be used to\nexpose local files it was not meant to.\n\nThe problem can also be exploited for uploading, if the rogue server\nredirects the client to a local file and thus it would (over)write a local\nfile instead of sending it to the server.\n\nlibcurl compiled to support SCP can get tricked to get a file using embedded\nsemicolons, which can lead to execution of commands on the given\nserver. `Location: scp://name:passwd@host/a;date >/tmp/test;`.\n\nFiles on servers other than the one running libcurl are also accessible when\ncredentials for those servers are stored in the .netrc file of the user\nrunning libcurl. This is most common for FTP servers, but can occur with\nany protocol supported by libcurl. Files on remote SSH servers are also\naccessible when the user has an unencrypted SSH key." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2005-4077", "aliases": [ "CVE-2005-4077" ], "summary": "URL Buffer Overflow", "modified": "2023-06-02T13:03:22.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-4077.json", "www": "https://curl.se/docs/CVE-2005-4077.html", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "last_affected": "7.15.0", "severity": "High" }, "published": "2005-12-07T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.11.2"}, {"fixed": "7.15.1"} ] } ], "versions": [ "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2" ] } ], "credits": [ { "name": "Stefan Esser", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" }, { "name": "Wilfried Weissmann", "type": "OTHER" } ], "details": "libcurl's URL parser function can overflow a heap based buffer in two ways, if\ngiven a too long URL.\n\nThese overflows happen if you\n\n 1 - pass in a URL with no protocol (like \"http://\") prefix, using no slash\n and the string is 256 bytes or longer. This leads to a single zero byte\n overflow of the heap buffer.\n\n 2 - pass in a URL with only a question mark as separator (no slash) between\n the host and the query part of the URL. This leads to a single zero byte\n overflow of the heap buffer.\n\nBoth overflows can be made with the same input string, leading to two single\nzero byte overwrites.\n\nThe affected flaw cannot be triggered by a redirect, but the long URL must be\npassed in \"directly\" to libcurl. It makes this a \"local\" problem. Of course,\nlots of programs may still pass in user-provided URLs to libcurl without doing\nmuch syntax checking of their own, allowing a user to exploit this\nvulnerability." }, { "schema_version": "1.5.0", "id": "CURL-CVE-2005-3185", "aliases": [ "CVE-2005-3185" ], "summary": "NTLM Buffer Overflow", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-3185.json", "www": "https://curl.se/docs/CVE-2005-3185.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.14.1", "severity": "High" }, "published": "2005-10-13T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.10.6"}, {"fixed": "7.15.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "bdb5e5a25037a585e0ec6b83d29b25961c6823f8"}, {"fixed": "943aea62679fb9f2d6d7abe59b5edcba21490c52"} ] } ], "versions": [ "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6" ] } ], "credits": [ { "name": "iDEFENSE", "type": "FINDER" } ], "details": "libcurl's NTLM function can overflow a stack-based buffer if given a too long\nusername or domain name. This would happen if you enable NTLM authentication\nand either:\n\n A - pass in a username and domain name to libcurl that together are longer\n than 192 bytes\n\n B - allow (lib)curl to follow HTTP \"redirects\" (Location: and the appropriate\n HTTP 30x response code) and the new URL contains a URL with a username\n and domain name that together are longer than 192 bytes" }, { "schema_version": "1.5.0", "id": "CURL-CVE-2005-0490", "aliases": [ "CVE-2005-0490" ], "summary": "Authentication Buffer Overflows", "modified": "2024-06-07T13:53:51.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2005-0490.json", "www": "https://curl.se/docs/CVE-2005-0490.html", "CWE": { "id": "CWE-121", "desc": "Stack-based Buffer Overflow" }, "last_affected": "7.13.0", "severity": "High" }, "published": "2005-02-21T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.3"}, {"fixed": "7.13.1"} ] } ], "versions": [ "7.13.0", "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", "7.5", "7.4.2", "7.4.1", "7.4", "7.3" ] } ], "credits": [ { "name": "unknown", "type": "FINDER" } ], "details": "Due to bad usage of the base64 decode function to a stack-based buffer without\nchecking the data length, it was possible for a malicious HTTP server to\noverflow the client during NTLM negotiation and for an FTP server to overflow\nthe client during krb4 negotiation. The\n[announcement](http://www.idefense.com/application/poi/display?id=202) of this\nflaw was done without contacting us." }]