Page 6 of 56 results (0.016 seconds)

CVSS: 6.5EPSS: 0%CPEs: 79EXPL: 0

When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS. • http://www.debian.org/security/2017/dsa-3992 http://www.securityfocus.com/bid/100286 http://www.securitytracker.com/id/1039118 https://access.redhat.com/errata/RHSA-2018:3558 https://curl.haxx.se/docs/adv_20170809B.html https://security.gentoo.org/glsa/201709-14 https://support.apple.com/HT208221 https://access.redhat.com/security/cve/CVE-2017-1000100 https://bugzilla.redhat.com/show_bug.cgi?id=1478310 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. En curl y libcurl 7.52.0 hasta e incluyendo la versión 7.53.1, libcurl intenta retomar una sesión TLS aunque el certificado del cliente haya cambiado. • http://www.securityfocus.com/bid/97962 http://www.securitytracker.com/id/1038341 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468 https://curl.haxx.se/docs/adv_20170419.html https://security.gentoo.org/glsa/201709-14 • CWE-295: Improper Certificate Validation •

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0

The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. La función URL percent-encoding en libcurl en versiones anteriores a la 7.51.0 se denomina "curl_easy_unescape". Internamente, aunque esta función se haya hecho para asignar un búfer de destino no escapado más grande de 2GB, devuelve esa nueva longitud en una variable de enteros de 32 bits. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/94105 http://www.securitytracker.com/id/1037192 https://access.redhat.com/errata/RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:3558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622 https://curl.haxx.se/docs/adv_20161102H.html https://security.gentoo.org/glsa/201701-47 https://www.tenable.com/security/tns-2016-21 https://access.redhat.com/securit • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. curl y libcurl en versiones anteriores a 7.50.2, cuando se construye con NSS y la librería libnsspem.so está disponible en tiempo de ejecución, permiten a atacantes remotos secuestrar la autenticación de una conexión TLS aprovechando la reutilización de un certificado cliente cargado previamente desde un archivo para una conexión para el que no se ha configurado ningún certificado, una vulnerabilidad diferente a CVE-2016-5420. It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. • http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html http://rhn.redhat.com/errata/RHSA-2016-2575.html http://rhn.redhat.com/errata/RHSA-2016-2957.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/92754 http://www.securitytracker.com/id/1036739 https://access.redhat.com/errata/RHSA-2018:3558 https://bugzilla.redhat.com/show_bug.cgi?id=1373229 https://curl.haxx.se/docs/adv_20160907.html https://githu • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •

CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0

Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. Múltiples desbordamientos de entero en las funciones (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape y (4) curl_easy_unescape en libcurl en versiones anteriores a 7.50.3 permiten a atacantes tener impacto no especificado a través de una cadena de longitud 0xffffffff, lo que desencadena un desbordamiento de búfer basado en memoria dinámica. Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/92975 http://www.securitytracker.com/id/1036813 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.538632 https://access.redhat.com/errata/RHSA-2017:2016 https://access.redhat.com/errata/RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:3558 https://curl.haxx.se/docs/adv_20160914.html https://lists.debian.org/debian-lts-announ • CWE-190: Integer Overflow or Wraparound •