CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000099
https://notcve.org/view.php?id=CVE-2017-1000099
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory. A la hora de pedir un archivo de una URL de tipo "file://", libcurl ofrece una característica que envía metadatos sobre el archivo mediante cabeceras HTTP. El código responsable de esto enviaría el búfer erróneo al usuario (stdout o la llamada de vuelta de la aplicación), lo que podría provocar que otros datos privados de la memoria dinámica (heap) se muestren en consecuencia. • http://www.securityfocus.com/bid/100281 http://www.securitytracker.com/id/1039119 https://curl.haxx.se/0809C.patch https://curl.haxx.se/docs/adv_20170809C.html https://security.gentoo.org/glsa/201709-14 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 79EXPL: 0CVE-2017-1000100 – curl: TFTP sends more than buffer size
https://notcve.org/view.php?id=CVE-2017-1000100
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. • http://www.debian.org/security/2017/dsa-3992 http://www.securityfocus.com/bid/100286 http://www.securitytracker.com/id/1039118 https://access.redhat.com/errata/RHSA-2018:3558 https://curl.haxx.se/docs/adv_20170809B.html https://security.gentoo.org/glsa/201709-14 https://support.apple.com/HT208221 https://access.redhat.com/security/cve/CVE-2017-1000100 https://bugzilla.redhat.com/show_bug.cgi?id=1478310 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-9502
https://notcve.org/view.php?id=CVE-2017-9502
In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string "file://"). En curl en sus versiones anteriores a la 7.54.1 de Windows y DOS, la función libcurl de protocolo por defecto, el cual es lógico que permita una aplicación poner que protocolo libcurl debe intentar usar cuando una URL le es dada sin una parte diseñada, tiene un flaw que podría llevar a sobrescribir buffer heap --heap-- con siete bytes. Si se especifica que el protocolo sea FILE o un archivo: A la URL le faltan dos barras, la URL dada comienza con una letra de unidad, y libcurl es construida para Windows o DOS, entonces libcurl copiaría la ruta de 7bytes, asique el final de la ruta dada escribiría mas allá del buffer reservado (7 bytes son la longitud de la cadena ASCII "file://"). • http://openwall.com/lists/oss-security/2017/06/14/1 http://www.securityfocus.com/bid/99120 http://www.securitytracker.com/id/1038697 https://curl.haxx.se/docs/adv_20170614.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7468
https://notcve.org/view.php?id=CVE-2017-7468
In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. En curl y libcurl 7.52.0 hasta e incluyendo la versión 7.53.1, libcurl intenta retomar una sesión TLS aunque el certificado del cliente haya cambiado. • http://www.securityfocus.com/bid/97962 http://www.securitytracker.com/id/1038341 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468 https://curl.haxx.se/docs/adv_20170419.html https://security.gentoo.org/glsa/201709-14 • CWE-295: Improper Certificate Validation •
CVSS: 2.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7407 – curl: --write-out out of bounds read
https://notcve.org/view.php?id=CVE-2017-7407
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. La función ourWriteOut en tool_writeout.c en curl 7.53.1 podría permitir que los atacantes físicamente próximos obtengan información sensible de la memoria del proceso en circunstancias oportunistas leyendo una pantalla de la estación de trabajo durante el uso de un argumento --write-out que termina en un carácter '%', lo que conduce a desbordamiento de búfer basado en memoria dinámica. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html https://access.redhat.com/errata/RHSA-2018:3558 https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13 https://security.gentoo.org/glsa/201709-14 https://access.redhat.com/security/cve/CVE-2017-7407 https://bugzilla.redhat.com/show_bug.cgi?id=1439190 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •