CVE-2017-1000099
published 2017-10-05CVE-2017-1000099: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this…
PriorityP430medium6.5CVSS 3.0
AVNACLPRNUIRSUCHINAN
EPSS
0.62%
70.7th percentile
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | — | — |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | curl | >= 0 < 7.55.0-r0 | 7.55.0-r0 |
| haxx | libcurl | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5LOW
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q937-ph5c-26qf: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers
ghsa_unreviewed·2022-05-17
CVE-2017-1000099 [MEDIUM] CWE-200 GHSA-q937-ph5c-26qf: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
OSV
CVE-2017-1000099: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers
osv·2017-10-05·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
Red Hat
curl: FILE buffer read out of bounds
vendor_redhat·2017-08-09·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CWE-125 curl: FILE buffer read out of bounds
curl: FILE buffer read out of bounds
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Not affected
Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Not affected
Package: rh-dotnet20-curl (.NET Core 2.0 on Red Hat Enter
Debian
CVE-2017-1000099: curl - When asking to get a file from a file:// URL, libcurl provides a feature that ou...
vendor_debian·2017·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099: curl - When asking to get a file from a file:// URL, libcurl provides a feature that ou...
When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 curl: various flaws [fedora-all]
bugzilla·2017-08-09·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 curl: various flaws [fedora-all]
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ve
Bugzilla
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [fedora-all]
bugzilla·2017-08-09·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [fedora-all]
CVE-2017-1000099 CVE-2017-1000100 CVE-2017-1000101 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2017-1000099 curl: FILE buffer read out of bounds
bugzilla·2017-08-04·CVSS 6.5
CVE-2017-1000099 [MEDIUM] CVE-2017-1000099 curl: FILE buffer read out of bounds
CVE-2017-1000099 curl: FILE buffer read out of bounds
When asking to get a file from a file:// URL, libcurl provides a feature that
outputs meta-data about the file using HTTP-like headers.
The code doing this would send the wrong buffer to the user (stdout or the
application's provide callback), which could lead to other private data from
the heap to get inadvertently displayed.
The wrong buffer was an uninitialized memory area allocated on the heap and if
it turned out to not contain any zero byte, it would continue and display the
data following that buffer in memory.
Affected versions: libcurl 7.54.1
Discussion:
Acknowledgments:
Name: the Curl project
Upstream: Even Rouault
---
Created attachment 1308974
Upstream patch
---
External References:
https://curl.haxx.se/docs/adv_
http://www.securityfocus.com/bid/100281http://www.securitytracker.com/id/1039119https://curl.haxx.se/0809C.patchhttps://security.gentoo.org/glsa/201709-14https://curl.haxx.se/docs/adv_20170809C.htmlhttp://www.securityfocus.com/bid/100281http://www.securitytracker.com/id/1039119https://curl.haxx.se/0809C.patchhttps://security.gentoo.org/glsa/201709-14
2017-10-05
Published