Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Curl
(Haxx)| Repositories |
• https://github.com/curl/curl
• https://github.com/bagder/curl |
| #Vulnerabilities | 112 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-07-27 | CVE-2017-2629 | curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is... | Curl | 6.5 | ||
| 2017-04-03 | CVE-2017-7407 | The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which leads to a heap-based buffer over-read. | Curl | 2.4 | ||
| 2018-10-31 | CVE-2018-16842 | Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. | Ubuntu_linux, Debian_linux, Curl | 9.1 | ||
| 2018-05-24 | CVE-2018-1000301 | curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0. | Ubuntu_linux, Debian_linux, Curl, Communications_webrtc_session_controller, Enterprise_manager_ops_center, Peoplesoft_enterprise_peopletools, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation | 9.1 | ||
| 2018-03-14 | CVE-2018-1000121 | A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of service | Ubuntu_linux, Debian_linux, Curl, Communications_webrtc_session_controller, Enterprise_manager_ops_center, Peoplesoft_enterprise_peopletools, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation | 7.5 | ||
| 2018-03-14 | CVE-2018-1000122 | A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage | Ubuntu_linux, Debian_linux, Curl, Communications_webrtc_session_controller, Enterprise_manager_ops_center, Peoplesoft_enterprise_peopletools, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation | 9.1 | ||
| 2018-03-14 | CVE-2018-1000120 | A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. | Ubuntu_linux, Debian_linux, Curl, Communications_webrtc_session_controller, Enterprise_manager_ops_center, Peoplesoft_enterprise_peopletools, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation | 9.8 | ||
| 2017-06-14 | CVE-2017-9502 | In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given "URL" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would... | Curl | 5.3 | ||
| 2017-11-29 | CVE-2017-8818 | curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too little memory is allocated for interfacing to an SSL library. | Curl, Libcurl | 9.8 | ||
| 2017-11-29 | CVE-2017-8817 | The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character. | Debian_linux, Curl, Libcurl | 9.8 |