Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

cURL/libcurl 7.x < 7.51.0 Multiple Vulnerabilities

High

Synopsis

The host is running a version of cURL/libcurl that is vulnerable to multiple attack vectors.

Description

Versions of cURL and libcurl prior to 7.51.0 are affected by multiple vulnerabilities :

- A flaw exists in the International Domain Names (IDNA) handling when translating domain names to Punycode for DNS resolving. The issue is triggered as the outdated IDNA 2003 standard is used instead of IDNA 2008 for e.g. for the German 'LATIN SMALL LETTER SHARP S' Unicode character. This may result in incorrect translation for a domain name and in turn network traffic being directed to a different host than intended. (OSVDB 146555) - A flaw exists in the 'ConnectionExists()' function in 'lib/url.c' that is triggered when checking credentials supplied for reused connections, as the comparison is case-insensitive. This may allow a remote attacker to authenticate without knowing the proper case of the username and password. (OSVDB 146565) - An integer truncation flaw exists in the 'curl_easy_unescape()' function in 'lib/escape.c' that is triggered when handling overly large URLs. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (OSVDB 146567) - An integer overflow condition exists in the 'base64_encode()' function in 'lib/base64.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, crashing a process linked against the library or potentially allowing the execution of arbitrary code. (OSVDB 146568) - A flaw exists in the 'alloc_addbyter()' function in 'lib/mprintf.c' that is triggered as overly long input is not properly validated when supplied to the 'curl_maprintf()' API method. This may allow a context-dependent attacker to free already freed memory and crash a process linked against the library. (OSVDB 146569) - A use-after-free error exists in 'lib/cookie.c' that is triggered when handling shared cookies. This may allow a context-dependent attacker to dereference already freed memory and potentially disclose memory contents. (OSVDB 146570) - A flaw exists in the 'parseurlandfillconn()' function in 'lib/url.c' that is triggered when parsing the authority component of an URL with the hostname part ending in a '#' character. This may allow a context-dependent attacker to establish a connection to a different host than intended. (OSVDB 146571) - A double-free error exists in the 'read_data()' function in 'lib/security.c' that is triggered when handling Kerberos authentication. This may allow a context-dependent attacker to free already freed memory and have an unspecified impact. (OSVDB 146572) - A flaw exists in the 'Curl_cookie_init()' function in 'lib/cookie.c' that is triggered when handling cookies. This may allow a context-dependent attacker to inject new cookies for arbitrary domains. (OSVDB 146573) - An out-of-bounds read flaw exists in the 'parsedate()' function in 'lib/parsedate.c' that is triggered when handling dates. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (OSVDB 146574) - An out-of-bounds access flaw exists in 'tool_urlglob.c' within the globbing feature. This may allow a context-dependent attacker to potentially disclose memory contents or execute arbitrary code. (OSVDB 146575)

Solution

Upgrade to cURL/libcurl 7.51.0 or later.