Published: 31/07/2013 Updated: 22/04/2019

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 up to and including 7.30.0 allows remote malicious users to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx curl 7.7
haxx curl 7.9.3
haxx curl 7.9.2
haxx curl 7.10.1
haxx curl 7.7.3
haxx curl 7.8
haxx curl 7.9.7
haxx curl 7.9.6
haxx curl 7.10.5
haxx curl 7.10.8
haxx curl 7.12.1
haxx curl 7.12.2
haxx curl 7.12.3
haxx curl 7.15.1
haxx curl 7.15.2
haxx curl 7.16.1
haxx curl 7.16.0
haxx curl 7.19.6
haxx curl 7.19.7
haxx curl 7.21.6
haxx curl 7.21.7
haxx curl 7.22.0
haxx curl 7.23.0
haxx curl 7.29.0
haxx curl 7.30.0
haxx curl 7.8.1
haxx curl 7.9.1
haxx curl 7.9
haxx curl 7.9.8
haxx curl 7.10.2
haxx curl 7.10.7
haxx curl 7.10
haxx curl 7.13.1
haxx curl 7.13.2
haxx curl 7.15.5
haxx curl 7.15.4
haxx curl 7.17.1
haxx curl 7.17.0
haxx curl 7.19.4
haxx curl 7.19.5
haxx curl 7.21.4
haxx curl 7.21.5
haxx curl 7.23.1
haxx curl 7.24.0
haxx curl 7.10.4
haxx curl 7.11.0
haxx curl 7.11.1
haxx curl 7.13.0
haxx curl 7.14.0
haxx curl 7.15.3
haxx curl 7.16.4
haxx curl 7.18.2
haxx curl 7.18.1
haxx curl 7.19.2
haxx curl 7.19.3
haxx curl 7.21.2
haxx curl 7.21.3
haxx curl 7.25.0
haxx curl 7.26.0
haxx curl 7.27.0
haxx curl 7.7.1
haxx curl 7.7.2
haxx curl 7.9.5
haxx curl 7.9.4
haxx curl 7.10.3
haxx curl 7.10.6
haxx curl 7.11.2
haxx curl 7.12.0
haxx curl 7.14.1
haxx curl 7.15.0
haxx curl 7.16.3
haxx curl 7.16.2
haxx curl 7.18.0
haxx curl 7.19.1
haxx curl 7.19.0
haxx curl 7.20.0
haxx curl 7.20.1
haxx curl 7.21.0
haxx curl 7.21.1
haxx curl 7.28.1
haxx curl 7.28.0
haxx libcurl 7.8.1
haxx libcurl 7.9
haxx libcurl 7.9.7
haxx libcurl 7.9.8
haxx libcurl 7.10.7
haxx libcurl 7.10.8
haxx libcurl 7.7
haxx libcurl 7.9.1
haxx libcurl 7.9.2
haxx libcurl 7.10
haxx libcurl 7.10.1
haxx libcurl 7.11.0
haxx libcurl 7.11.1
haxx libcurl 7.13.1
haxx libcurl 7.13.2
haxx libcurl 7.15.4
haxx libcurl 7.15.5
haxx libcurl 7.16.0
haxx libcurl 7.18.0
haxx libcurl 7.18.1
haxx libcurl 7.19.5
haxx libcurl 7.19.6
haxx libcurl 7.21.4
haxx libcurl 7.21.5
haxx libcurl 7.25.0
haxx libcurl 7.26.0
haxx libcurl 7.12.3
haxx libcurl 7.13.0
haxx libcurl 7.15.2
haxx libcurl 7.15.3
haxx libcurl 7.17.0
haxx libcurl 7.17.1
haxx libcurl 7.19.3
haxx libcurl 7.19.4
haxx libcurl 7.21.1
haxx libcurl 7.21.2
haxx libcurl 7.21.3
haxx libcurl 7.23.1
haxx libcurl 7.24.0
haxx libcurl 7.30.0
haxx libcurl 7.7.1
haxx libcurl 7.7.2
haxx libcurl 7.9.3
haxx libcurl 7.9.4
haxx libcurl 7.10.2
haxx libcurl 7.10.3
haxx libcurl 7.10.4
haxx libcurl 7.11.2
haxx libcurl 7.12.0
haxx libcurl 7.14.0
haxx libcurl 7.14.1
haxx libcurl 7.16.1
haxx libcurl 7.16.2
haxx libcurl 7.18.2
haxx libcurl 7.19.0
haxx libcurl 7.19.7
haxx libcurl 7.20.0
haxx libcurl 7.21.6
haxx libcurl 7.21.7
haxx libcurl 7.27.0
haxx libcurl 7.28.0
haxx libcurl 7.7.3
haxx libcurl 7.8
haxx libcurl 7.9.5
haxx libcurl 7.9.6
haxx libcurl 7.10.5
haxx libcurl 7.10.6
haxx libcurl 7.12.1
haxx libcurl 7.12.2
haxx libcurl 7.15.0
haxx libcurl 7.15.1
haxx libcurl 7.16.3
haxx libcurl 7.16.4
haxx libcurl 7.19.1
haxx libcurl 7.19.2
haxx libcurl 7.20.1
haxx libcurl 7.21.0
haxx libcurl 7.22.0
haxx libcurl 7.23.0
haxx libcurl 7.28.1
haxx libcurl 7.29.0
opensuse opensuse 11.4
canonical ubuntu linux 12.04
canonical ubuntu linux 12.10
canonical ubuntu linux 10.04
canonical ubuntu linux 13.04
redhat enterprise linux 5
redhat enterprise linux 6.0

libcurl could be made to crash or run programs as your login if it received specially crafted input ...

Timo Sirainen discovered that cURL, an URL transfer library, is prone to a heap overflow vulnerability due to bad checking of the input data in the curl_easy_unescape function The curl command line tool is not affected by this problem as it doesn't use the curl_easy_unescape function For the oldstable distribution (squeeze), this problem has been ...

Critical Infrastructure Sectors: Energy

CWE-119 http://www.ubuntu.com/usn/USN-1894-1 http://lists.opensuse.org/opensuse-updates/2013-07/msg00013.html http://rhn.redhat.com/errata/RHSA-2013-0983.html https://github.com/bagder/curl/commit/192c4f788d48f82c03e9cef40013f34370e90737 http://www.debian.org/security/2013/dsa-2713 http://curl.haxx.se/docs/adv_20130622.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.securityfocus.com/bid/60737 https://usn.ubuntu.com/1894-1/https://nvd.nist.gov https://www.cisa.gov/uscert/ics/advisories/icsa-22-242-03

Get Started

CVE-2013-2174

Vulnerability Summary

Vendor Advisories

ICS Advisories

References

Vulmon Search

About

Products

Connect