Description

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

References

http://advisories.mageia.org/MGASA-2015-0020.html

http://curl.haxx.se/docs/adv_20150108B.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html

http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html

http://rhn.redhat.com/errata/RHSA-2015-1254.html

http://secunia.com/advisories/61925

http://secunia.com/advisories/62075

http://secunia.com/advisories/62361

http://www.debian.org/security/2015/dsa-3122

http://www.mandriva.com/security/advisories?name=MDVSA-2015:021

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.securityfocus.com/bid/71964

http://www.securitytracker.com/id/1032768

http://www.ubuntu.com/usn/USN-2474-1

https://kc.mcafee.com/corporate/index?page=content&id=SB10131

https://security.gentoo.org/glsa/201701-47

https://support.apple.com/kb/HT205031

Details

Risk Information

CVSS v2