CVE-2021-22898 – curl: TELNET stack contents disclosure
https://notcve.org/view.php?id=CVE-2021-22898
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. curl versiones 7.7 hasta 7.76.1 sufre de una divulgacion de información cuando la opción de línea de comandos "-t", conocida como "CURLOPT_TELNETOPTIONS" en libcurl, se usa para enviar pares de variables=contenido a servidores TELNET. Debido a un fallo en el analizador de opciones para el envío de variables NEW_ENV, podría hacer que libcurl pasara datos no inicializados de un búfer basado en la pila al servidor, resultando en una potencial divulgación de información interna confidencial al servidor que usaba un protocolo de red de texto sin cifrar A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. • http://www.openwall.com/lists/oss-security/2021/07/21/4 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2021-22898.html https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde https://hackerone.com/reports/1176461 https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c%40%3Cissues.guacamole.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/08/msg00017.html https://lists.debian.org/debian-lts-ann • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-908: Use of Uninitialized Resource CWE-909: Missing Initialization of Resource •
CVE-2020-8284 – curl: FTP PASV command response can cause curl to connect to arbitrary host
https://notcve.org/view.php?id=CVE-2020-8284
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. Un servidor malicioso puede usar la respuesta FTP PASV para engañar a curl versiones 7.73.0 y anteriores, para que se conecte de nuevo a una dirección IP y puerto determinados, y de esta manera potencialmente hacer que curl extraiga información sobre servicios que de otro modo serían privados y no divulgados, por ejemplo, haciendo escaneo de puerto y extracciones del banner de servicio A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user, a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2020-8284.html https://hackerone.com/reports/1040166 https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG https://security.gentoo.org/glsa/202012-14 https://securi • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-8169 – libcurl: partial password leak over DNS on HTTP redirect
https://notcve.org/view.php?id=CVE-2020-8169
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). curl versiones 7.62.0 hasta 7.70.0, es susceptible a una vulnerabilidad de divulgación de información que puede conllevar a que una contraseña parcial sea filtrada a través de la red y a servidor(es) DNS A flaw was found in libcurl. A part of a password may be prepended to the host name before the host name is resolved, leading to a leak of the partial password over the network and to DNS servers. This highest threat from this vulnerability is to data confidentiality. • https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2020-8169.html https://hackerone.com/reports/874778 https://www.debian.org/security/2021/dsa-4881 https://access.redhat.com/security/cve/CVE-2020-8169 https://bugzilla.redhat.com/show_bug.cgi?id=1847916 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-8177 – curl: Incorrect argument check can allow remote servers to overwrite local files
https://notcve.org/view.php?id=CVE-2020-8177
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. curl versiones 7.20.0 hasta 7.70.0, es vulnerable a una restricción inapropiada de nombres para archivos y otros recursos que pueden conllevar a sobrescribir demasiado un archivo local cuando el flag -J es usado A flaw was found in curl. Overwriting local files is possible when using a certain combination of command line options. Requesting content from a malicious server could lead to overwriting local files with compromised files leading to unknown effects. The highest threat from this vulnerability is to file integrity. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2020-8177.html https://hackerone.com/reports/887462 https://www.debian.org/security/2021/dsa-4881 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2020-8177 https://bugzilla.redhat.com/show_bug.cgi?id=1847915 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVE-2016-4606
https://notcve.org/view.php?id=CVE-2016-4606
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks. Curl versiones anteriores a 7.49.1, en Apple OS X macOS Sierra versiones anteriores a 10.12, permite a atacantes remotos o locales ejecutar código arbitrario, conseguir información confidencial, causar condición de denegación de servicio (DoS), omitir las restricciones de seguridad y llevar a cabo acciones no autorizadas. Esto puede ayudar en otros ataques. • http://www.securityfocus.com/bid/93055 http://www.securitytracker.com/id/1036858 https://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html •