Haxx Curl vulnerabilities

CVE-2018-1000300 [CRITICAL] CWE-787 CVE-2018-1000300: curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl = 7.

CVE-2016-9586 [HIGH] CWE-122 CVE-2016-9586: curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point outp curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.

CVE-2016-9594 [HIGH] CWE-665 CVE-2016-9594: curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function t curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.

CVE-2018-1000120 [CRITICAL] CWE-787 CVE-2018-1000120: A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that al A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse.

CVE-2018-1000122 [CRITICAL] CWE-125 CVE-2018-1000122: A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage

CVE-2018-1000121 [HIGH] CWE-476 CVE-2018-1000121: A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service

CVE-2016-9953 [CRITICAL] CWE-125 CVE-2016-9953: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly have unspecified other impact via a wildcard certificate name, which triggers an out-of-bounds read.

CVE-2017-2628 [CRITICAL] CVE-2017-2628: curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

CVE-2016-9952 [HIGH] CWE-295 CVE-2016-9952: The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built The verify_certificate function in lib/vtls/schannel.c in libcurl 7.30.0 through 7.51.0, when built for Windows CE using the schannel TLS backend, makes it easier for remote attackers to conduct man-in-the-middle attacks via a crafted wildcard SAN in a server certificate, as demonstrated by "*.com."

CVE-2018-1000007 [CRITICAL] CVE-2018-1000007: libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` respo

CVE-2018-1000005 [CRITICAL] CVE-2018-1000005: libcurl 7 libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently c

CVE-2017-8816 [CRITICAL] CWE-190 CVE-2017-8816: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attacke The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.

CVE-2017-8817 [CRITICAL] CWE-125 CVE-2017-8817: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denia The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.

CVE-2017-8818 [CRITICAL] CWE-119 CVE-2017-8818: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.

CVE-2017-1000257 [CRITICAL] CVE-2017-1000257: An IMAP FETCH response line indicates the size of the returned data, in number of bytes An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the leng

CVE-2013-2617 [HIGH] CWE-94 Curl Gem insufficient URL escaping command injection Curl Gem insufficient URL escaping command injection `lib/curl.rb` in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVE-2017-1000254 [HIGH] CVE-2017-1000254: libcurl may read outside of a heap allocated buffer when doing FTP libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw

CVE-2017-1000101 [MEDIUM] CWE-119 CVE-2017-1000101: curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterat curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. Th

CVE-2017-1000099 [MEDIUM] CVE-2017-1000099: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently dis

CVE-2017-1000100 [MEDIUM] CVE-2017-1000100: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncat When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in th