CVSS: 5.3EPSS: 0%CPEs: 16EXPL: 1CVE-2021-22876 – curl: Leak of authentication credentials in URL via automatic Referer
https://notcve.org/view.php?id=CVE-2021-22876
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. curl versiones 7.1.1 hasta 7.75.0 incluyéndola, es vulnerable a una "Exposure of Private Personal Information to an Unauthorized Actor" al filtrar credenciales en el encabezado HTTP Referer:. libcurl no elimina las credenciales de usuario de la URL cuando completa automáticamente el campo de encabezado de petición HTTP Referer: en peticiones HTTP salientes y, por lo tanto, corre el riesgo de filtrar datos confidenciales al servidor que es el objetivo de la segunda petición HTTP. It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://curl.se/docs/CVE-2021-22876.html https://hackerone.com/reports/1101882 https://lists.debian.org/debian-lts-announce/2021/05/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC https://lists.fedoraproject.org/archives/list/package-announce%40 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 1%CPEs: 11EXPL: 0CVE-2018-14618 – curl: NTLM password overflow via integer overflow
https://notcve.org/view.php?id=CVE-2018-14618
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. • http://www.securitytracker.com/id/1041605 https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2019:1880 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618 https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf https://curl.haxx.se/docs/CVE-2018-14618.html https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0014 https://security.gentoo.org/glsa/201903-03 https://usn.ubuntu.com/3765-1 https://usn.ubuntu.com/ • CWE-122: Heap-based Buffer Overflow CWE-131: Incorrect Calculation of Buffer Size CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2016-8622 – curl: URL unescape heap overflow via integer truncation
https://notcve.org/view.php?id=CVE-2016-8622
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer. La función URL percent-encoding en libcurl en versiones anteriores a la 7.51.0 se denomina "curl_easy_unescape". Internamente, aunque esta función se haya hecho para asignar un búfer de destino no escapado más grande de 2GB, devuelve esa nueva longitud en una variable de enteros de 32 bits. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/94105 http://www.securitytracker.com/id/1037192 https://access.redhat.com/errata/RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:3558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622 https://curl.haxx.se/docs/adv_20161102H.html https://security.gentoo.org/glsa/201701-47 https://www.tenable.com/security/tns-2016-21 https://access.redhat.com/securit • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-7141 – curl: Incorrect reuse of client certificates
https://notcve.org/view.php?id=CVE-2016-7141
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. curl y libcurl en versiones anteriores a 7.50.2, cuando se construye con NSS y la librería libnsspem.so está disponible en tiempo de ejecución, permiten a atacantes remotos secuestrar la autenticación de una conexión TLS aprovechando la reutilización de un certificado cliente cargado previamente desde un archivo para una conexión para el que no se ha configurado ningún certificado, una vulnerabilidad diferente a CVE-2016-5420. It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. • http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html http://rhn.redhat.com/errata/RHSA-2016-2575.html http://rhn.redhat.com/errata/RHSA-2016-2957.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/92754 http://www.securitytracker.com/id/1036739 https://access.redhat.com/errata/RHSA-2018:3558 https://bugzilla.redhat.com/show_bug.cgi?id=1373229 https://curl.haxx.se/docs/adv_20160907.html https://githu • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0CVE-2016-7167 – curl: escape and unescape integer overflows
https://notcve.org/view.php?id=CVE-2016-7167
Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. Múltiples desbordamientos de entero en las funciones (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape y (4) curl_easy_unescape en libcurl en versiones anteriores a 7.50.3 permiten a atacantes tener impacto no especificado a través de una cadena de longitud 0xffffffff, lo que desencadena un desbordamiento de búfer basado en memoria dinámica. Multiple integer overflow flaws leading to heap-based buffer overflows were found in the way curl handled escaping and unescaping of data. An attacker could potentially use these flaws to crash an application using libcurl by sending a specially crafted input to the affected libcurl functions. • http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/92975 http://www.securitytracker.com/id/1036813 http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.538632 https://access.redhat.com/errata/RHSA-2017:2016 https://access.redhat.com/errata/RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:3558 https://curl.haxx.se/docs/adv_20160914.html https://lists.debian.org/debian-lts-announ • CWE-190: Integer Overflow or Wraparound •