Debian Curl vulnerabilities

CVE-2023-27537 [MEDIUM] CVE-2023-27537: curl - A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data betw... A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mutexes or thread locks, two threads sharing the same HSTS data could end up doing a double-

CVE-2023-27538 [MEDIUM] CVE-2023-27538: curl - An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where i... An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were

CVE-2023-46219 [MEDIUM] CVE-2023-46219: curl - When saving HSTS data to an excessively long file name, curl could end up removi... When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. Scope: local bookworm: resolved (fixed in 7.88.1-10+deb12u5) bullseye: open forky: resolved (fixed in 8.5.0-1) sid: resolved (fixed in 8.5.0-1) trixie: resolved (fixed in 8.5.

CVE-2023-27536 [MEDIUM] CVE-2023-27536: curl - An authentication bypass vulnerability exists libcurl <8.0.0 in the connection r... An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized a

CVE-2023-27535 [MEDIUM] CVE-2023-27535: curl - An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP conne... An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_US

CVE-2023-28321 [MEDIUM] CVE-2023-28321: curl - An improper certificate validation vulnerability exists in curl <v8.1.0 in the w... An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (Internatio

CVE-2023-38546 [LOW] CVE-2023-38546: curl - This flaw allows an attacker to insert cookies at will into a running program us... This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers. libcurl provides a function call that duplicates en easy handle called [curl_easy_duphandle](https://

CVE-2023-28320 [MEDIUM] CVE-2023-28320: curl - A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl prov... A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protec

CVE-2023-28322 [LOW] CVE-2023-28322: curl - An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S... An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the applicati

CVE-2022-32207 [CRITICAL] CVE-2022-32207: curl - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes... When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. Scope: local

CVE-2022-32221 [CRITICAL] CVE-2022-32221: curl - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`... When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wron

CVE-2022-43551 [HIGH] CVE-2022-43551: curl - A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to tric... A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get re

CVE-2022-27775 [HIGH] CVE-2022-27775: curl - An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vuln... An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. Scope: local bookworm: resolved (fixed in 7.83.0-1) bullseye: resolved (fixed in 7.74.0-1.3+deb11u2) forky: resolved (fixed in 7.83.0-1) sid: resolved (fixe

CVE-2022-42915 [HIGH] CVE-2022-42915: curl - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a... curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers

CVE-2022-27782 [HIGH] CVE-2022-27782: curl - libcurl would reuse a previously created connection even when a TLS or SSHrelate... libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themma

CVE-2022-42916 [HIGH] CVE-2022-42916: curl - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying... In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII coun

CVE-2022-27778 [HIGH] CVE-2022-27778: curl - A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove th... A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. Scope: local bookworm: resolved (fixed in 7.83.1-1) bullseye: resolved forky: resolved (fixed in 7.83.1-1) sid: resolved (fixed in 7.83.1-1) trixie: resolved (fixed in 7.83.1-1)

CVE-2022-27781 [HIGH] CVE-2022-27781: curl - libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest d... libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation. Scope: local bookworm: resolved (fixed in 7.83.1-1) bullseye: resolved (f

CVE-2022-22576 [HIGH] CVE-2022-22576: curl - An improper authentication vulnerability exists in curl 7.33.0 to and including ... An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only). Scope: local bo

CVE-2022-27780 [HIGH] CVE-2022-27780: curl - The curl URL parser wrongly accepts percent-encoded URL separators like '/'when ... The curl URL parser wrongly accepts percent-encoded URL separators like '/'when decoding the host name part of a URL, making it a *different* URL usingthe wrong host name when it is later retrieved.For example, a URL like `http://example.com%2F127.0.0.1/`, would be allowed bythe parser and get transposed into `http://example.com/127.0.0.1/`. This flawcan be used to cir