CVE-2021-22876 – curl: Leak of authentication credentials in URL via automatic Referer
https://notcve.org/view.php?id=CVE-2021-22876
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. curl versiones 7.1.1 hasta 7.75.0 incluyéndola, es vulnerable a una "Exposure of Private Personal Information to an Unauthorized Actor" al filtrar credenciales en el encabezado HTTP Referer:. libcurl no elimina las credenciales de usuario de la URL cuando completa automáticamente el campo de encabezado de petición HTTP Referer: en peticiones HTTP salientes y, por lo tanto, corre el riesgo de filtrar datos confidenciales al servidor que es el objetivo de la segunda petición HTTP. It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2021-22876.html https://hackerone.com/reports/1101882 https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC https://lists.fedoraproject.org/archives/list/package-announce%40 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2020-8285 – curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
https://notcve.org/view.php?id=CVE-2020-8285
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. curl versiones 7.21.0 hasta 7.73.0 e incluyéndola, es vulnerable a una recursividad no controlada debido a un problema de desbordamiento de la pila en el análisis de coincidencias del comodín FTP Libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there's a sufficient amount of file entries and if the callback returns "skip" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors. • http://seclists.org/fulldisclosure/2021/Apr/51 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2020-8285.html https://github.com/curl/curl/issues/6255 https://hackerone.com/reports/1045844 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://lists.debian.org/debian-lts • CWE-121: Stack-based Buffer Overflow CWE-674: Uncontrolled Recursion CWE-787: Out-of-bounds Write •
CVE-2020-8231 – curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set
https://notcve.org/view.php?id=CVE-2020-8231
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. Debido al uso de un puntero colgante, libcurl versiones 7.29.0 hasta 7.71.1, puede usar la conexión errónea cuando envía datos A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the `CURLOPT_CONNECT_ONLY` option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.haxx.se/docs/CVE-2020-8231.html https://hackerone.com/reports/948876 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://security.gentoo.org/glsa/202012-14 https://www.debian.org/security/2021/dsa-4881 https://www.oracle.com/securi • CWE-416: Use After Free CWE-822: Untrusted Pointer Dereference •
CVE-2019-5436 – curl: TFTP receive heap buffer overflow in tftp_receive_packet() function
https://notcve.org/view.php?id=CVE-2019-5436
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. Un desbordamiento de búfer en la memoria dinámica (heap) del código de recepción TFTP, permite la ejecución de código arbitrario o una Denegación de Servicio (DoS) en las versiones de libcurl 7.19.4 hasta 7.64.1. • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html http://www.openwall.com/lists/oss-security/2019/09/11/6 https://curl.haxx.se/docs/CVE-2019-5436.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2 https://seclists.org/bugtraq/2020/Feb/36 https://security.gentoo.org/glsa/202003-29 https://security.netapp.com/advisory& • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2018-14618 – curl: NTLM password overflow via integer overflow
https://notcve.org/view.php?id=CVE-2018-14618
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. • http://www.securitytracker.com/id/1041605 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:1880 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618 https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf https://curl.haxx.se/docs/CVE-2018-14618.html https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014 https://security.gentoo.org/glsa/201903-03 https://usn.ubuntu.com/3765-1 https://usn.ubuntu.com/ • CWE-122: Heap-based Buffer Overflow CWE-131: Incorrect Calculation of Buffer Size CWE-190: Integer Overflow or Wraparound •