Haxx Curl vulnerabilities

CVE-2018-16839 [CRITICAL] CWE-122 CVE-2018-16839: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication co Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.

CVE-2018-16840 [CRITICAL] CWE-416 CVE-2018-16840: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that

CVE-2018-16980 [MEDIUM] CVE-2018-16980: dotCMS V5 dotCMS V5.0.1 has XSS in the /html/portlet/ext/contentlet/image_tools/index.jsp fieldName and inode parameters.

CVE-2018-14618 [CRITICAL] CVE-2018-14618: curl before version 7 curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math

CVE-2003-1605 [HIGH] CWE-255 CVE-2003-1605: curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server.

CVE-2016-8619 [CRITICAL] CWE-416 CVE-2016-8619: The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory doubl The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.

CVE-2016-8620 [CRITICAL] CWE-120 CVE-2016-8620: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and o The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.

CVE-2016-8615 [HIGH] CWE-99 CVE-2016-8615: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

CVE-2016-8623 [HIGH] CWE-416 CVE-2016-8623: A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads t A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.

CVE-2016-8625 [HIGH] CWE-20 CVE-2016-8625: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

CVE-2016-8616 [MEDIUM] CWE-592 CVE-2016-8616: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insen A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused

CVE-2016-8618 [CRITICAL] CWE-416 CVE-2016-8618: The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.

CVE-2016-8622 [CRITICAL] CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7 The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing

CVE-2016-8617 [HIGH] CWE-787 CVE-2016-8617: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.

CVE-2016-8624 [HIGH] CWE-20 CVE-2016-8624: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request th

CVE-2016-8621 [HIGH] CWE-125 CVE-2016-8621: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.

CVE-2017-2629 [MEDIUM] CWE-295 CVE-2017-2629: curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could

CVE-2017-7468 [HIGH] CVE-2017-7468: In curl and libcurl 7 In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous

CVE-2018-0500 [CRITICAL] CWE-787 CVE-2018-0500: Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buff Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that might be exploitable by an attacker who can control the data that curl transmits over SMTP with certain settings (i.e., use of a nonstandard --limit-rate argument or CURLOPT_BUFFERSIZE value).

CVE-2018-1000301 [CRITICAL] CWE-125 CVE-2018-1000301: curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerabi curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl = 7.60.0.