CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 1CVE-2023-23916 – curl: HTTP multi-header compression denial of service
https://notcve.org/view.php?id=CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. • https://hackerone.com/reports/1826048 https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230309-0006 https://www.debian.org/security/2023/dsa-5365 https://access.redhat.com/security/cve/CVE-2023-23916 https://bugzilla.redhat.com/show_bug.cgi?id=2167815 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 0%CPEs: 5EXPL: 1CVE-2022-43552 – curl: Use-after-free triggered by an HTTP proxy deny response
https://notcve.org/view.php?id=CVE-2022-43552
A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. A vulnerability was found in curl. • http://seclists.org/fulldisclosure/2023/Mar/17 https://hackerone.com/reports/1764858 https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230214-0002 https://support.apple.com/kb/HT213670 https://access.redhat.com/security/cve/CVE-2022-43552 https://bugzilla.redhat.com/show_bug.cgi?id=2152652 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 1CVE-2022-43551 – curl: HSTS bypass via IDN
https://notcve.org/view.php?id=CVE-2022-43551
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. • https://hackerone.com/reports/1755083 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA https://security.gentoo.org/glsa/202310-12 https://security.netapp.com/advisory/ntap-20230427-0007 https://access.redhat.com/security/cve/CVE-2022-43551 https://bugzilla.redhat.com/show_bug.cgi?id=2152639 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 14EXPL: 1CVE-2022-35260
https://notcve.org/view.php?id=CVE-2022-35260
curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. Se puede indicar a curl que analice un archivo `.netrc` en busca de credenciales. Si ese archivo termina en una línea con 4095 letras de espacios consecutivos que no sean espacios en blanco y sin nueva línea, curl primero leerá más allá del final del búfer basado en pila y, si la lectura funciona, escribirá un byte cero más allá de su límite. En la mayoría de los casos, esto causará una falla de segmento o similar, pero las circunstancias también pueden causar resultados diferentes. • http://seclists.org/fulldisclosure/2023/Jan/19 http://seclists.org/fulldisclosure/2023/Jan/20 https://hackerone.com/reports/1721098 https://security.gentoo.org/glsa/202212-01 https://security.netapp.com/advisory/ntap-20230110-0006 https://support.apple.com/kb/HT213604 https://support.apple.com/kb/HT213605 • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 16EXPL: 1CVE-2022-32221 – curl: POST following PUT confusion
https://notcve.org/view.php?id=CVE-2022-32221
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. Al realizar transferencias HTTP(S), libcurl podría usar erróneamente la devolución de llamada de lectura (`CURLOPT_READFUNCTION`) para solicitar datos para enviar, incluso cuando se haya configurado la opción `CURLOPT_POSTFIELDS`, si anteriormente se usó el mismo identificador para emitir un `PUT `solicitud que utilizó esa devolución de llamada. Esta falla puede sorprender a la aplicación y hacer que se comporte mal y envíe datos incorrectos o use memoria después de liberarla o algo similar en la solicitud "POST" posterior. • http://seclists.org/fulldisclosure/2023/Jan/19 http://seclists.org/fulldisclosure/2023/Jan/20 http://www.openwall.com/lists/oss-security/2023/05/17/4 https://hackerone.com/reports/1704017 https://lists.debian.org/debian-lts-announce/2023/01/msg00028.html https://security.gentoo.org/glsa/202212-01 https://security.netapp.com/advisory/ntap-20230110-0006 https://security.netapp.com/advisory/ntap-20230208-0002 https://support.apple.com/kb/HT213604 https://support.apple.com/k • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-440: Expected Behavior Violation CWE-668: Exposure of Resource to Wrong Sphere •