Page 8 of 41 results (0.008 seconds)

CVSS: 7.3EPSS: 1%CPEs: 6EXPL: 0

The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. La función ConnectionExists en lib/url.c en libcurl en versiones anteriores a 7.47.0 no reutiliza correctamente las conexiones proxy autenticadas por NTML, lo que podría permitir a atacantes remotos autenticarse como otros usuarios a través de una petición, un problema similar a CVE-2014-0015. • http://curl.haxx.se/docs/adv_20160127A.html http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176546.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177342.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177383.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176413.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00031.html • CWE-287: Improper Authentication •

CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. La configuración por defecto para cURL y libcurl anterior a 7.42.1 envía cabeceras HTTP personalizadas tanto al servidor proxy como al de destinación, lo que podría permitir a servidores proxy remotos obtener información sensible mediante la lectura de los contenidos de cabeceras. • http://curl.haxx.se/docs/adv_20150429.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html http://www.debian.org/security/2015/dsa-3240 http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html http://www.oracle.com/technetwork/topics/security/cpu • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. cURL y libcurl anteriores a 7.38.0 no manejan correctamente las direcciones IP en nombres de dominio de cookies, lo que permite a atacantes remotos usar cookies definidas por ellos mismos o enviar cookies arbitrarias a ciertos sitios, como originada por un sitio en 192.168.0.1 estableciendo las cookies para un sitio en 127.168.0.1. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. • http://curl.haxx.se/docs/adv_20140910A.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html http://rhn.redhat.com/errata/RHSA-2015-1254.html http://www.debian.org/security/2014/dsa-3022 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936&# • CWE-284: Improper Access Control CWE-310: Cryptographic Issues •

CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0

cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. cURL y libcurl anteriores a 7.38.0 permite a atacantes remotos evadir Same Origin Policy y configurar cookies para sitios arbitrarios mediante la configuración de una cookie de un dominio de nivel superior. • http://curl.haxx.se/docs/adv_20140910B.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html http://www.debian.org/security/2014/dsa-3022 http://www.openwall.com/lists/oss-security/2022/05/11/2 http://www.securityfocus.com/bid/69742 https://support.apple.com/kb/HT205031 • CWE-310: Cryptographic Issues •

CVSS: 5.0EPSS: 0%CPEs: 131EXPL: 0

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. La función tailMatch en cookie.c en cURL y libcurl antes de v7.30.0 no comprueba correctamente la ruta del dominio al enviar las cookies, lo que permite robar las cookies a atacantes remotos a través de un sufijo coincidente en el dominio de una URL. • http://curl.haxx.se/docs/adv_20130412.html http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.h • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •