CVE-2017-1000101 (GCVE-0-2017-1000101)

Vulnerability from cvelistv5 – Published: 2017-10-04 01:00 – Updated: 2024-08-05 21:53
VLAI?
Summary
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
https://support.apple.com/HT208221 x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:3558 vendor-advisoryx_refsource_REDHAT
https://security.gentoo.org/glsa/201709-14 vendor-advisoryx_refsource_GENTOO
https://curl.haxx.se/docs/adv_20170809A.html x_refsource_CONFIRM
http://www.securitytracker.com/id/1039117 vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/100249 vdb-entryx_refsource_BID
http://www.debian.org/security/2017/dsa-3992 vendor-advisoryx_refsource_DEBIAN
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:53:06.565Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.apple.com/HT208221"
          },
          {
            "name": "RHSA-2018:3558",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:3558"
          },
          {
            "name": "GLSA-201709-14",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201709-14"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://curl.haxx.se/docs/adv_20170809A.html"
          },
          {
            "name": "1039117",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039117"
          },
          {
            "name": "100249",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100249"
          },
          {
            "name": "DSA-3992",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2017/dsa-3992"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2017-08-22T00:00:00",
      "datePublic": "2017-10-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "curl supports \"globbing\" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-11-13T10:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.apple.com/HT208221"
        },
        {
          "name": "RHSA-2018:3558",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:3558"
        },
        {
          "name": "GLSA-201709-14",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/201709-14"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://curl.haxx.se/docs/adv_20170809A.html"
        },
        {
          "name": "1039117",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039117"
        },
        {
          "name": "100249",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100249"
        },
        {
          "name": "DSA-3992",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2017/dsa-3992"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2017-08-22T17:29:33.316423",
          "ID": "CVE-2017-1000101",
          "REQUESTER": "daniel@haxx.se",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "curl supports \"globbing\" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.apple.com/HT208221",
              "refsource": "CONFIRM",
              "url": "https://support.apple.com/HT208221"
            },
            {
              "name": "RHSA-2018:3558",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:3558"
            },
            {
              "name": "GLSA-201709-14",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/201709-14"
            },
            {
              "name": "https://curl.haxx.se/docs/adv_20170809A.html",
              "refsource": "CONFIRM",
              "url": "https://curl.haxx.se/docs/adv_20170809A.html"
            },
            {
              "name": "1039117",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039117"
            },
            {
              "name": "100249",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100249"
            },
            {
              "name": "DSA-3992",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2017/dsa-3992"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-1000101",
    "datePublished": "2017-10-04T01:00:00",
    "dateReserved": "2017-10-03T00:00:00",
    "dateUpdated": "2024-08-05T21:53:06.565Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BC7E5201-24A0-4CEF-84D2-76DB195D3A8E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4D558CC2-0146-4887-834E-19FCB1D512A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6931764D-16AB-4546-9CE3-5B4E03BC984A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6FC1313E-8DCB-4B29-A9BC-A27C8CB360E9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.37.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B27C2E02-5C0A-4A12-B0A6-5B1C0DFA94E9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.38.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EFC7535F-B8C7-490F-A2F9-1DCFD41A3C9B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.39.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3CCBFE6D-F6A9-4394-9AF8-F830DC7E6A81\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5DEBBFCA-6A18-4F8F-B841-50255C952FA0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FEEAE437-A645-468B-B283-44799658F534\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"03F7EE95-4EBE-4306-ADFE-A1A92CAD5F24\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.42.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"79F7AE71-7A18-4737-9C02-0A3343B3AD4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.43.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BC589DE6-773A-43E8-9393-3083DB545671\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.44.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"24D735EA-04E3-47E7-A859-3CC1ED887E10\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.45.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"063C1A70-0869-4933-88D7-ECE7ACCF0F99\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.46.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"70B0A020-3DA1-4753-B810-C60E7CA06839\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.47.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"63A18050-0DA7-400A-B564-AC9A020D57CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.47.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9D168A62-A5B0-4BA8-8243-1AAF3B395567\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.48.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"11D8B02D-5A97-4F9A-8EE8-D60D621E0B0D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.49.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D7DC2429-0B58-4D68-9337-0077C4493714\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.49.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A4D5B7BD-2B9D-40AB-B13A-393FF0007A8A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.50.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E2AFED4D-0672-467F-999C-9D6C3722B8C9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.50.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4BDCCD2D-3D98-4FC3-BAB5-3D09A0CAD12C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.50.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8DA228CD-70CF-41FC-98F6-38194466CC32\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.50.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EFDE2415-78F8-4A36-AA9B-6EA8DCE399AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.51.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CCA05266-35B6-422D-AE73-4C934B4F5091\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.52.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2AB70F1-D6A9-4ADF-A506-4C9DEE8AE754\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.52.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3C2FDF0C-6493-4BE1-851E-0D8CE94E36B2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.53.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2EA9D7F9-A972-41A8-9561-DB72E37184F8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.53.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"641ACFC8-BDE2-42AC-8B3D-EF78695AD750\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.54.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8629C630-14E0-4C94-BBD1-B5203488A6FB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.54.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"31C6D873-9770-4FD0-AC75-4D6C06FC4A8B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:haxx:curl:7.55.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CADB89B4-7218-4E2B-BB94-8CCEB79FB3F0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"curl supports \\\"globbing\\\" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.\"}, {\"lang\": \"es\", \"value\": \"curl es compatible con el \\\"globbing\\\" de URL, donde un usuario puede pasar un rango num\\u00e9rico para hacer que la herramienta itere sobre esos n\\u00fameros para realizar una secuencia de transferencias. En la funci\\u00f3n de \\\"globbing\\\" que analiza sint\\u00e1cticamente el rango num\\u00e9rico, hay una omisi\\u00f3n que hace que curl lea un byte m\\u00e1s all\\u00e1 del fin de la URL si se proporciona una URL manipulada o simplemente mal escrita. La URL se almacena en un b\\u00fafer basado en memoria din\\u00e1mica (heap) para que se pueda hacer luego de tal manera que lea err\\u00f3neamente otra cosa en vez de cerrarse inesperadamente. A continuaci\\u00f3n se muestra un ejemplo de una URL que desencadena este fallo: \\\"http://ur%20[0-60000000000000000000\\\".\"}]",
      "id": "CVE-2017-1000101",
      "lastModified": "2024-11-21T03:04:09.803",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2017-10-05T01:29:04.103",
      "references": "[{\"url\": \"http://www.debian.org/security/2017/dsa-3992\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/100249\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1039117\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3558\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://curl.haxx.se/docs/adv_20170809A.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201709-14\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://support.apple.com/HT208221\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.debian.org/security/2017/dsa-3992\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/100249\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1039117\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:3558\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://curl.haxx.se/docs/adv_20170809A.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201709-14\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://support.apple.com/HT208221\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-119\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-1000101\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-10-05T01:29:04.103\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"curl supports \\\"globbing\\\" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.\"},{\"lang\":\"es\",\"value\":\"curl es compatible con el \\\"globbing\\\" de URL, donde un usuario puede pasar un rango num\u00e9rico para hacer que la herramienta itere sobre esos n\u00fameros para realizar una secuencia de transferencias. En la funci\u00f3n de \\\"globbing\\\" que analiza sint\u00e1cticamente el rango num\u00e9rico, hay una omisi\u00f3n que hace que curl lea un byte m\u00e1s all\u00e1 del fin de la URL si se proporciona una URL manipulada o simplemente mal escrita. La URL se almacena en un b\u00fafer basado en memoria din\u00e1mica (heap) para que se pueda hacer luego de tal manera que lea err\u00f3neamente otra cosa en vez de cerrarse inesperadamente. A continuaci\u00f3n se muestra un ejemplo de una URL que desencadena este fallo: \\\"http://ur%20[0-60000000000000000000\\\".\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC7E5201-24A0-4CEF-84D2-76DB195D3A8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D558CC2-0146-4887-834E-19FCB1D512A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6931764D-16AB-4546-9CE3-5B4E03BC984A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6FC1313E-8DCB-4B29-A9BC-A27C8CB360E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.37.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B27C2E02-5C0A-4A12-B0A6-5B1C0DFA94E9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.38.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFC7535F-B8C7-490F-A2F9-1DCFD41A3C9B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.39.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CCBFE6D-F6A9-4394-9AF8-F830DC7E6A81\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5DEBBFCA-6A18-4F8F-B841-50255C952FA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FEEAE437-A645-468B-B283-44799658F534\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03F7EE95-4EBE-4306-ADFE-A1A92CAD5F24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.42.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"79F7AE71-7A18-4737-9C02-0A3343B3AD4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.43.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC589DE6-773A-43E8-9393-3083DB545671\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.44.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"24D735EA-04E3-47E7-A859-3CC1ED887E10\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.45.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"063C1A70-0869-4933-88D7-ECE7ACCF0F99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.46.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"70B0A020-3DA1-4753-B810-C60E7CA06839\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.47.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"63A18050-0DA7-400A-B564-AC9A020D57CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.47.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D168A62-A5B0-4BA8-8243-1AAF3B395567\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.48.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11D8B02D-5A97-4F9A-8EE8-D60D621E0B0D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.49.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7DC2429-0B58-4D68-9337-0077C4493714\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.49.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4D5B7BD-2B9D-40AB-B13A-393FF0007A8A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.50.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2AFED4D-0672-467F-999C-9D6C3722B8C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.50.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4BDCCD2D-3D98-4FC3-BAB5-3D09A0CAD12C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.50.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8DA228CD-70CF-41FC-98F6-38194466CC32\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.50.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFDE2415-78F8-4A36-AA9B-6EA8DCE399AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.51.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CCA05266-35B6-422D-AE73-4C934B4F5091\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.52.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2AB70F1-D6A9-4ADF-A506-4C9DEE8AE754\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.52.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C2FDF0C-6493-4BE1-851E-0D8CE94E36B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.53.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2EA9D7F9-A972-41A8-9561-DB72E37184F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.53.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"641ACFC8-BDE2-42AC-8B3D-EF78695AD750\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.54.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8629C630-14E0-4C94-BBD1-B5203488A6FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.54.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"31C6D873-9770-4FD0-AC75-4D6C06FC4A8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:haxx:curl:7.55.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CADB89B4-7218-4E2B-BB94-8CCEB79FB3F0\"}]}]}],\"references\":[{\"url\":\"http://www.debian.org/security/2017/dsa-3992\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/100249\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039117\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3558\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://curl.haxx.se/docs/adv_20170809A.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201709-14\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/HT208221\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.debian.org/security/2017/dsa-3992\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/100249\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039117\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:3558\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://curl.haxx.se/docs/adv_20170809A.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201709-14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://support.apple.com/HT208221\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.