Alpine: libcurl, multiple curl packages: security update to 7.56.1-r0

critical Tenable Self-Hosted Container Security Plugin ID 423813

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that
response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and
the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic
number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based
buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory
lies after (or just crash) and then deliver that to the application as if it was actually downloaded.
(CVE-2017-1000257)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-1000257

Plugin Details

Severity: Critical

ID: 423813

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2017-1000257

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/23/2017

Reference Information

CVE: CVE-2017-1000257

BID: 101519