CVE-2019-5482

CWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds Write17 documents10 sources
Severity
9.8CRITICAL
EPSS
6.9%
top 8.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Haxx CurlOracle Mysql ServerDebian Debian Linux+9 more
Timeline
PublishedSep 16
Latest updateMay 24

Description

Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages13 packages

Debiancurl< 7.66.0-1+3
Ubuntucurl< 7.47.0-1ubuntu2.14+1
NVDhaxx/curl7.19.47.65.3
CVEListV5curl7.19.4 to 7.65.3
NVDoracle/mysql_server5.0.05.7.28+1

Also affects: Debian Linux 10.0, 9.0, Fedora 29, 30, 31

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
GHSA-35cc-32cj-vr6g: Heap buffer overflow in the TFTP protocol handler in cURL 72022-05-24
CVEList
CVE-2019-5482: Heap buffer overflow in the TFTP protocol handler in cURL 72019-09-16
OSV
CVE-2019-5482: Heap buffer overflow in the TFTP protocol handler in cURL 72019-09-16
OSV
curl vulnerabilities2019-09-11

📋Vendor Advisories

7
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Web Listener (cURL) — CVE-2019-54822020-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: REST API (cURL) — CVE-2019-54822020-04-15
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Networking (cURL) — CVE-2019-54822020-01-15
Ubuntu
curl vulnerability2019-09-12
Ubuntu
curl vulnerabilities2019-09-11

💬Community

5
HackerOne
CVE-2019-5482: Heap buffer overflow in TFTP when using small blksize2020-11-14
Bugzilla
CVE-2019-5482 mingw-curl: curl: heap buffer overflow in function tftp_receive_packet() [fedora-all]2019-09-13
Bugzilla
CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet() [fedora-all]2019-09-13
Bugzilla
CVE-2019-5482 mingw-curl: curl: heap buffer overflow in function tftp_receive_packet() [epel-7]2019-09-13
Bugzilla
CVE-2019-5482 curl: heap buffer overflow in function tftp_receive_packet()2019-09-06