CVE-2017-1000257 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Libcurl
Severity
9.1CRITICALNVD
EPSS
0.9%
top 24.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 31
Latest updateApr 16
Description
An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into wh…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2
Affected Packages2 packages
Also affects: Debian Linux 8.0, 9.0
🔴Vulnerability Details
4VulDB▶
cURL up to 7.56.0 IMAP FETCH Response memory corruption (adv_20171023 / Nessus ID 104105)↗2026-04-16
GHSA▶
GHSA-6x54-39w9-rqhw: An IMAP FETCH response line indicates the size of the returned data, in number of bytes↗2022-05-14
CVEList▶
CVE-2017-1000257: An IMAP FETCH response line indicates the size of the returned data, in number of bytes↗2017-10-31
OSV▶
CVE-2017-1000257: An IMAP FETCH response line indicates the size of the returned data, in number of bytes↗2017-10-31
📋Vendor Advisories
4💬Community
4Bugzilla
▶
Bugzilla
▶