CVE-2012-0036 — SQL Injection in Curl

CWE-89 — SQL Injection12 documents9 sources

Severity

7.5HIGHNVD

EPSS

10.3%

top 6.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl Curl Libcurl

Timeline

PublishedApr 13

Latest updateJul 7

Description

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDcurl/libcurl13 versions+12

▶Debianhaxx/curl< 7.24.0-1+3

▶NVDcurl/curl13 versions+12

Patches

Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-xxw5-p895-cp2c: curl and libcurl 7↗2022-05-04

▶

CVEList

CVE-2012-0036: curl and libcurl 7↗2012-04-13

▶

OSV

CVE-2012-0036: curl and libcurl 7↗2012-04-13

▶

📋Vendor Advisories

Red Hat

curl: URL sanitization vulnerability↗2012-01-24

▶

Ubuntu

curl vulnerability↗2012-01-24

▶

Debian

CVE-2012-0036: curl - curl and libcurl 7.2x before 7.24.0 do not properly consider special characters ...↗2012

▶

💬Community

HackerOne

curl mishandles `%0c%0b` sequences in HTTP responses leading to CRLF confusions, Headers and Cookies Injection↗2025-07-07

▶

Bugzilla

CVE-2012-0036 curl: URL sanitization vulnerability [fedora-all]↗2012-01-24

▶

Bugzilla

CVE-2012-0036 curl: URL sanitization vulnerability [fedora-all]↗2012-01-24

▶

Bugzilla

CVE-2012-0036 curl: URL sanitization vulnerability [epel-5]↗2012-01-24

▶

Bugzilla

CVE-2012-0036 curl: URL sanitization vulnerability↗2012-01-11

▶