The Curl Project Curl vulnerabilities

CVE-2019-3822 [CRITICAL] CWE-121 CVE-2019-3822: libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The f libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting ov

CVE-2018-16890 [HIGH] CWE-125 CVE-2018-16890: libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could tr

CVE-2019-3823 [HIGH] CWE-125 CVE-2019-3823: libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the cod libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read conten

CVE-2018-16839 [CRITICAL] CWE-122 CVE-2018-16839: Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication co Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.

CVE-2018-16842 [CRITICAL] CWE-125 CVE-2018-16842: Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.

CVE-2018-16840 [CRITICAL] CWE-416 CVE-2018-16840: A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that

CVE-2016-8619 [CRITICAL] CWE-416 CVE-2016-8619: The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory doubl The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.

CVE-2016-8620 [CRITICAL] CWE-120 CVE-2016-8620: The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and o The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.

CVE-2016-8625 [HIGH] CWE-20 CVE-2016-8625: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.

CVE-2016-8623 [HIGH] CWE-416 CVE-2016-8623: A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads t A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.

CVE-2016-8615 [HIGH] CWE-99 CVE-2016-8615: A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

CVE-2016-8616 [MEDIUM] CWE-592 CVE-2016-8616: A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insen A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused

CVE-2016-8618 [CRITICAL] CWE-416 CVE-2016-8618: The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.

CVE-2016-8622 [CRITICAL] CWE-122 CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. In The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned n

CVE-2016-8621 [HIGH] CWE-125 CVE-2016-8621: The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.

CVE-2016-8624 [HIGH] CWE-20 CVE-2016-8624: curl before version 7 curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

CVE-2016-8617 [HIGH] CWE-787 CVE-2016-8617: The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.