Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Haxx Subscribe
Total 125 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-8231 4 Debian, Haxx, Oracle and 1 more 4 Debian Linux, Libcurl, Communications Cloud Native Core Policy and 1 more 2022-05-13 5.0 MEDIUM 7.5 HIGH
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2020-8286 7 Apple, Debian, Fedoraproject and 4 more 19 Mac Os X, Macos, Debian Linux and 16 more 2022-05-13 5.0 MEDIUM 7.5 HIGH
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVE-2021-22901 4 Haxx, Netapp, Oracle and 1 more 33 Curl, Active Iq Unified Manager, Cloud Backup and 30 more 2022-05-13 6.8 MEDIUM 8.1 HIGH
curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
CVE-2014-3620 2 Apple, Haxx 3 Mac Os X, Curl, Libcurl 2022-05-11 5.0 MEDIUM N/A
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
CVE-2020-8169 3 Debian, Haxx, Siemens 5 Debian Linux, Curl, Simatic Tim 1531 Irc and 2 more 2022-04-19 5.0 MEDIUM 7.5 HIGH
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
CVE-2021-22890 7 Broadcom, Debian, Fedoraproject and 4 more 10 Fabric Operating System, Debian Linux, Fedora and 7 more 2022-04-06 4.3 MEDIUM 3.7 LOW
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
CVE-2021-22876 7 Broadcom, Debian, Fedoraproject and 4 more 11 Fabric Operating System, Debian Linux, Fedora and 8 more 2022-04-06 5.0 MEDIUM 5.3 MEDIUM
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.
CVE-2019-5482 6 Debian, Fedoraproject, Haxx and 3 more 17 Debian Linux, Fedora, Curl and 14 more 2021-11-03 7.5 HIGH 9.8 CRITICAL
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-5443 4 Haxx, Microsoft, Netapp and 1 more 10 Curl, Windows, Oncommand Insight and 7 more 2021-11-03 4.4 MEDIUM 7.8 HIGH
A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.
CVE-2017-1000254 1 Haxx 1 Libcurl 2021-06-29 5.0 MEDIUM 7.5 HIGH
libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.
CVE-2016-9586 1 Haxx 1 Curl 2021-06-29 6.8 MEDIUM 8.1 HIGH
curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
CVE-2016-8625 1 Haxx 1 Curl 2021-06-29 5.0 MEDIUM 7.5 HIGH
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
CVE-2016-8624 1 Haxx 1 Curl 2021-06-29 5.0 MEDIUM 7.5 HIGH
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
CVE-2016-8623 1 Haxx 1 Curl 2021-06-29 5.0 MEDIUM 7.5 HIGH
A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.
CVE-2016-8617 1 Haxx 1 Curl 2021-06-29 4.4 MEDIUM 7.0 HIGH
The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.
CVE-2016-8615 1 Haxx 1 Curl 2021-06-29 5.0 MEDIUM 7.5 HIGH
A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.
CVE-2019-3822 7 Canonical, Debian, Haxx and 4 more 16 Ubuntu Linux, Debian Linux, Libcurl and 13 more 2021-06-15 7.5 HIGH 9.8 CRITICAL
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.
CVE-2019-3823 5 Canonical, Debian, Haxx and 2 more 7 Ubuntu Linux, Debian Linux, Libcurl and 4 more 2021-03-09 5.0 MEDIUM 7.5 HIGH
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.
CVE-2019-5436 7 Debian, F5, Fedoraproject and 4 more 11 Debian Linux, Traffix Signaling Delivery Controller, Fedora and 8 more 2020-10-20 4.6 MEDIUM 7.8 HIGH
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVE-2019-5435 1 Haxx 1 Curl 2020-10-20 4.3 MEDIUM 3.7 LOW
An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.