Haxx Libcurl vulnerabilities

CVE-2018-16890 [HIGH] CWE-125 CVE-2018-16890: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could tr

CVE-2018-14618 [CRITICAL] CVE-2018-14618: curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The in curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate outpu

CVE-2016-8622 [CRITICAL] CWE-122 CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. In The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned n

CVE-2017-7468 [HIGH] CVE-2017-7468: In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session ev In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). l

CVE-2018-1000005 [CRITICAL] CWE-125 CVE-2018-1000005: libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the

CVE-2017-8818 [CRITICAL] CWE-119 CVE-2017-8818: curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library.

CVE-2017-8817 [CRITICAL] CWE-125 CVE-2017-8817: The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denia The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.

CVE-2017-8816 [CRITICAL] CWE-190 CVE-2017-8816: The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attacke The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields.

CVE-2017-1000257 [CRITICAL] CWE-119 CVE-2017-1000257: An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that r An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data t

CVE-2017-1000254 [HIGH] CWE-119 CVE-2017-1000254: libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by li

CVE-2017-1000099 [MEDIUM] CWE-200 CVE-2017-1000099: When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data abou When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer w

CVE-2017-1000100 [MEDIUM] CWE-200 CVE-2017-1000100: When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (long When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to se

CVE-2016-7167 [CRITICAL] CWE-190 CVE-2016-7167: Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.

CVE-2016-7141 [HIGH] CVE-2016-7141: curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at run curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

CVE-2016-5419 [HIGH] CWE-310 CVE-2016-5419: curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

CVE-2016-5420 [HIGH] CWE-285 CVE-2016-5420: curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

CVE-2016-5421 [HIGH] CWE-416 CVE-2016-5421: Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection i Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.

CVE-2015-3237 [MEDIUM] CWE-20 CVE-2015-3237: The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers t The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.

CVE-2015-3236 [MEDIUM] CWE-200 CVE-2015-3236: cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.

CVE-2015-3153 [MEDIUM] CWE-200 CVE-2015-3153: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the p The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.