CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2017-8816 – curl: NTLM buffer overflow via integer overflow
https://notcve.org/view.php?id=CVE-2017-8816
29 Nov 2017 — The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields. La característica de autenticación NTLM en curl y libcurl en versiones anteriores a la 7.57.0 en plataformas de 32-bits permite que los atacantes provoquen una denegación de servicio (desbordamiento de enteros y d... • http://security.cucumberlinux.com/security/details.php?id=161 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0CVE-2017-8817 – curl: FTP wildcard out of bounds read
https://notcve.org/view.php?id=CVE-2017-8817
29 Nov 2017 — The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. La función FTP wildcard en curl y libcurl en versiones anteriores a la 7.57.0 permite que atacantes remotos provoquen una denegación de servicio (lectura fuera de límites y cierre inesperado de aplicación) o, probablemente, causen cualquier otro tipo de impacto median... • http://security.cucumberlinux.com/security/details.php?id=162 • CWE-125: Out-of-bounds Read •
CVSS: 9.1EPSS: 1%CPEs: 3EXPL: 0CVE-2017-1000257 – curl: IMAP FETCH response out of bounds read
https://notcve.org/view.php?id=CVE-2017-1000257
23 Oct 2017 — An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memor... • http://www.debian.org/security/2017/dsa-4007 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 7.5EPSS: 1%CPEs: 117EXPL: 0CVE-2017-1000254 – curl: FTP PWD response parser out of bounds read
https://notcve.org/view.php?id=CVE-2017-1000254
06 Oct 2017 — libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would ... • http://www.debian.org/security/2017/dsa-3992 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000099 – Slackware Security Advisory - curl Updates
https://notcve.org/view.php?id=CVE-2017-1000099
09 Aug 2017 — When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer... • http://www.securityfocus.com/bid/100281 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 79EXPL: 0CVE-2017-1000100 – curl: TFTP sends more than buffer size
https://notcve.org/view.php?id=CVE-2017-1000100
09 Aug 2017 — When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could... • http://www.debian.org/security/2017/dsa-3992 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7468 – Ubuntu Security Notice USN-3262-1
https://notcve.org/view.php?id=CVE-2017-7468
21 Apr 2017 — In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when... • http://www.securityfocus.com/bid/97962 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2016-8622 – curl: URL unescape heap overflow via integer truncation
https://notcve.org/view.php?id=CVE-2016-8622
04 Nov 2016 — The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. La función URL percent-encoding en libcurl en versiones anteriores a la 7.51.0... • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2016-7141 – curl: Incorrect reuse of client certificates
https://notcve.org/view.php?id=CVE-2016-7141
03 Oct 2016 — curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. curl y libcurl en versiones anteriores a 7.50.2, cuando se construye con NSS y la librería libnsspem.so está disponible en tiempo de ejecución, permiten a ataca... • http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0CVE-2016-7167 – curl: escape and unescape integer overflows
https://notcve.org/view.php?id=CVE-2016-7167
16 Sep 2016 — Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. Múltiples desbordamientos de entero en las funciones (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape y (4) curl_easy_unescape en libcurl en versiones anteriores a 7.50.3 permiten a atacantes tener impacto no especificado a tra... • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html • CWE-190: Integer Overflow or Wraparound •