CVE-2012-0036

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

References

http://curl.haxx.se/curl-url-sanitize.patch

http://curl.haxx.se/docs/adv_20120124.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

http://secunia.com/advisories/48256

http://security.gentoo.org/glsa/glsa-201203-02.xml

http://support.apple.com/kb/HT5281

http://www.debian.org/security/2012/dsa-2398

http://www.mandriva.com/security/advisories?name=MDVSA-2012:058

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.securityfocus.com/bid/51665

http://www.securitytracker.com/id/1032924

https://bugzilla.redhat.com/show_bug.cgi?id=773457

https://github.com/bagder/curl/commit/75ca568fa1c19de4c5358fed246686de8467c238

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03760en_us

Details

Source: MITRE

Published: 2012-04-13

Updated: 2018-01-10

Type: CWE-89

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

Tenable Plugins

View all (14 total)

IDNameProductFamilySeverity
75806openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)NessusSuSE Local Security Checks
high
74807openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)NessusSuSE Local Security Checks
high
801396cURL/libcURL Remote Input Validation VulnerabilityLog Correlation EngineWeb Clients
medium
6903cURL/libcURL Remote Input ValidationNessus Network MonitorWeb Clients
high
59851HP System Management Homepage < 7.1.1 Multiple VulnerabilitiesNessusWeb Servers
critical
6482Mac OS X 10.7 < 10.7.4 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
59066Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)NessusMacOS X Local Security Checks
critical
58759Mandriva Linux Security Advisory : curl (MDVSA-2012:058)NessusMandriva Local Security Checks
high
58212GLSA-201203-02 : cURL: Multiple vulnerabilities (BEAST)NessusGentoo Local Security Checks
high
57897Fedora 15 : curl-7.21.3-13.fc15 (2012-0888)NessusFedora Local Security Checks
high
57842SuSE 10 Security Update : curl (ZYPP Patch Number 7937)NessusSuSE Local Security Checks
high
57738Debian DSA-2398-2 : curl - several vulnerabilities (BEAST)NessusDebian Local Security Checks
high
57719Fedora 16 : curl-7.21.7-6.fc16 (2012-0894)NessusFedora Local Security Checks
high
57689Ubuntu 10.10 / 11.04 / 11.10 : curl vulnerability (USN-1346-1)NessusUbuntu Local Security Checks
high