Vulnerabilities (CVE)

Filtered by vendor Haxx Subscribe
Filtered by product Libcurl
Total 59 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-1000100 1 Haxx 1 Libcurl 2024-02-04 4.3 MEDIUM 6.5 MEDIUM
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.
CVE-2017-1000254 1 Haxx 1 Libcurl 2024-02-04 5.0 MEDIUM 7.5 HIGH
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
CVE-2017-8818 1 Haxx 2 Curl, Libcurl 2024-02-04 7.5 HIGH 9.8 CRITICAL
curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.
CVE-2017-1000257 2 Debian, Haxx 2 Debian Linux, Libcurl 2024-02-04 6.4 MEDIUM 9.1 CRITICAL
An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
CVE-2017-8816 2 Debian, Haxx 3 Debian Linux, Curl, Libcurl 2024-02-04 7.5 HIGH 9.8 CRITICAL
The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.
CVE-2016-7141 2 Haxx, Opensuse 2 Libcurl, Leap 2024-02-04 5.0 MEDIUM 7.5 HIGH
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVE-2016-5419 3 Debian, Haxx, Opensuse 3 Debian Linux, Libcurl, Leap 2024-02-04 5.0 MEDIUM 7.5 HIGH
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVE-2016-5420 3 Debian, Haxx, Opensuse 3 Debian Linux, Libcurl, Leap 2024-02-04 5.0 MEDIUM 7.5 HIGH
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVE-2015-3237 3 Haxx, Hp, Oracle 5 Curl, Libcurl, System Management Homepage and 2 more 2024-02-04 6.4 MEDIUM N/A
The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.
CVE-2016-5421 5 Canonical, Debian, Fedoraproject and 2 more 6 Ubuntu Linux, Debian Linux, Fedora and 3 more 2024-02-04 6.8 MEDIUM 8.1 HIGH
Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.
CVE-2016-7167 2 Fedoraproject, Haxx 2 Fedora, Libcurl 2024-02-04 7.5 HIGH 9.8 CRITICAL
Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.
CVE-2015-3236 1 Haxx 2 Curl, Libcurl 2024-02-04 5.0 MEDIUM N/A
cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2015-3153 5 Apple, Canonical, Debian and 2 more 6 Mac Os X, Ubuntu Linux, Debian Linux and 3 more 2024-02-04 5.0 MEDIUM N/A
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
CVE-2015-3148 7 Apple, Canonical, Debian and 4 more 8 Mac Os X, Ubuntu Linux, Debian Linux and 5 more 2024-02-04 5.0 MEDIUM N/A
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
CVE-2014-8151 2 Apple, Haxx 2 Mac Os X, Libcurl 2024-02-04 5.8 MEDIUM N/A
The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
CVE-2015-3143 5 Apple, Canonical, Debian and 2 more 6 Mac Os X, Ubuntu Linux, Debian Linux and 3 more 2024-02-04 5.0 MEDIUM N/A
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
CVE-2015-3144 4 Canonical, Debian, Haxx and 1 more 5 Ubuntu Linux, Debian Linux, Curl and 2 more 2024-02-04 9.0 HIGH N/A
The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."
CVE-2014-8150 3 Canonical, Debian, Haxx 3 Ubuntu Linux, Debian Linux, Libcurl 2024-02-04 4.3 MEDIUM N/A
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
CVE-2015-3145 8 Apple, Canonical, Debian and 5 more 9 Mac Os X, Ubuntu Linux, Debian Linux and 6 more 2024-02-04 7.5 HIGH N/A
The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character.