CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 1CVE-2019-5435 – curl: Integer overflows in curl_url_set() function
https://notcve.org/view.php?id=CVE-2019-5435
An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. Un desbordamiento de enteros en la API de URL de curl, da como resultado un desbordamiento de búfer en libcurl en la versión 7.62.0 hasta la 7.64.1 incluyendola. • https://curl.haxx.se/docs/CVE-2019-5435.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2 https://security.gentoo.org/glsa/202003-29 https://security.netapp.com/advisory/ntap-20190606-0004 https://support.f5.com/csp/article/K08125515 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https:&#x • CWE-131: Incorrect Calculation of Buffer Size CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 2CVE-2019-3823 – curl: SMTP end-of-response out-of-bounds read
https://notcve.org/view.php?id=CVE-2019-3823
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller. libcurl, desde la versión 7.34.0 hasta antes de la 7.64.0, es vulnerable a una lectura de memoria dinámica (heap) fuera de límites en el código que maneja el final de la respuesta para SMTP. Si el búfer que se pasa a "smtp_endofresp()" no termina en NUL, no contiene caracteres que terminen el número analizado y "len" se establece como 5, la llamada "strtol()" lee más allá del búfer asignado. Los contenidos de la lectura no se devolverán al llamante. • http://www.securityfocus.com/bid/106950 https://access.redhat.com/errata/RHSA-2019:3701 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823 https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf https://curl.haxx.se/docs/CVE-2019-3823.html https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E https://security.gentoo.org/glsa/201903-03 https://security.netapp.com/advisory/ntap-20190315-0001 https://usn.ubuntu • CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 4%CPEs: 16EXPL: 1CVE-2018-16890 – curl: NTLM type-2 heap out-of-bounds buffer read
https://notcve.org/view.php?id=CVE-2018-16890
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds. Libcurl, desde la versión 7.36.0 hasta antes de la 7.64.0, es vulnerable a una lectura de memoria dinámica (heap) fuera de límites. La función que gestiona los mensajes entrantes NTLM de tipo 2 ("lib/vauth/ntlm.c:ntlm_decode_type2_target") no valida los datos entrantes correctamente y está sujeta a una vulnerabilidad de desbordamiento de enteros. • https://github.com/michelleamesquita/CVE-2018-16890 http://www.securityfocus.com/bid/106947 https://access.redhat.com/errata/RHSA-2019:3701 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890 https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf https://curl.haxx.se/docs/CVE-2018-16890.html https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E https://security.netapp.com/advisory/ntap-20190315-0001 https://sup • CWE-125: Out-of-bounds Read CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 19%CPEs: 23EXPL: 1CVE-2019-3822 – curl: NTLMv2 type-3 header stack buffer overflow
https://notcve.org/view.php?id=CVE-2019-3822
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. • http://www.securityfocus.com/bid/106950 https://access.redhat.com/errata/RHSA-2019:3701 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822 https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf https://curl.haxx.se/docs/CVE-2019-3822.html https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E https://security.gentoo.org/glsa/201903-03 https://security.netapp.com/advisory/ntap-20190315-0001 https://security.n • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-16840 – curl: Use-after-free when closing "easy" handle in Curl_close()
https://notcve.org/view.php?id=CVE-2018-16840
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct. Se ha detectado un error de uso de memoria dinámica (heap) previamente liberada en Curl, desde la versión 7.59.0 hasta la 7.61.1, en el código relacionado con el cierre de un controlador "easy". Al cerrar y limpiar un controlador "easy" en la función "Curl_close()", el código de la biblioteca libera, en primer lugar, un struct (sin pasar el puntero a null) y, después, podría escribir erróneamente en un campo struct dentro del struct ya liberado. • http://www.securitytracker.com/id/1042013 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16840 https://curl.haxx.se/docs/CVE-2018-16840.html https://github.com/curl/curl/commit/81d135d67155c5295b1033679c606165d4e28f3f https://security.gentoo.org/glsa/201903-03 https://usn.ubuntu.com/3805-1 https://access.redhat.com/security/cve/CVE-2018-16840 https://bugzilla.redhat.com/show_bug.cgi?id=1642203 • CWE-416: Use After Free •