CVE-2012-0036high
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
References
http://curl.haxx.se/curl-url-sanitize.patch
http://curl.haxx.se/docs/adv_20120124.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://secunia.com/advisories/48256
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://support.apple.com/kb/HT5281
http://www.debian.org/security/2012/dsa-2398
http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/51665
http://www.securitytracker.com/id/1032924
https://bugzilla.redhat.com/show_bug.cgi?id=773457
https://github.com/bagder/curl/commit/75ca568fa1c19de4c5358fed246686de8467c238
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03760en_us
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:curl:curl:7.20.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.20.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.21.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:curl:7.22.0:*:*:*:*:*:*:*
Configuration 2
OR
cpe:2.3:a:curl:libcurl:7.20.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.20.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.0:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.1:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.2:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.3:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.4:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.5:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.6:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.21.7:*:*:*:*:*:*:*
cpe:2.3:a:curl:libcurl:7.22.0:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 75806 | openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST) | Nessus | SuSE Local Security Checks | high |
| 74807 | openSUSE Security Update : curl (openSUSE-2012-76) (BEAST) | Nessus | SuSE Local Security Checks | high |
| 801396 | cURL/libcURL Remote Input Validation Vulnerability | Log Correlation Engine | Web Clients | medium |
| 6903 | cURL/libcURL Remote Input Validation | Nessus Network Monitor | Web Clients | high |
| 59851 | HP System Management Homepage < 7.1.1 Multiple Vulnerabilities | Nessus | Web Servers | critical |
| 6482 | Mac OS X 10.7 < 10.7.4 Multiple Vulnerabilities | Nessus Network Monitor | Generic | critical |
| 59066 | Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST) | Nessus | MacOS X Local Security Checks | critical |
| 58759 | Mandriva Linux Security Advisory : curl (MDVSA-2012:058) | Nessus | Mandriva Local Security Checks | high |
| 58212 | GLSA-201203-02 : cURL: Multiple vulnerabilities (BEAST) | Nessus | Gentoo Local Security Checks | high |
| 57897 | Fedora 15 : curl-7.21.3-13.fc15 (2012-0888) | Nessus | Fedora Local Security Checks | high |
| 57842 | SuSE 10 Security Update : curl (ZYPP Patch Number 7937) | Nessus | SuSE Local Security Checks | high |
| 57738 | Debian DSA-2398-2 : curl - several vulnerabilities (BEAST) | Nessus | Debian Local Security Checks | high |
| 57719 | Fedora 16 : curl-7.21.7-6.fc16 (2012-0894) | Nessus | Fedora Local Security Checks | high |
| 57689 | Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1) | Nessus | Ubuntu Local Security Checks | high |