Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv3

CVE-2017-1000100

Published: 05/10/2017 Updated: 13/11/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Haxx

Vulnerability Summary

When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.

Vulnerable Product Search on Vulmon Subscribe to Product

haxx libcurl 7.52.0

haxx libcurl 7.52.1

haxx libcurl 7.44.0

haxx libcurl 7.45.0

haxx libcurl 7.15.0

haxx libcurl 7.37.0

haxx libcurl 7.42.1

haxx libcurl 7.50.0

haxx libcurl 7.16.0

haxx libcurl 7.16.1

haxx libcurl 7.18.1

haxx libcurl 7.18.2

haxx libcurl 7.19.6

haxx libcurl 7.19.7

haxx libcurl 7.20.0

haxx libcurl 7.21.5

haxx libcurl 7.21.6

haxx libcurl 7.26.0

haxx libcurl 7.27.0

haxx libcurl 7.34.0

haxx libcurl 7.35.0

haxx libcurl 7.54.0

haxx libcurl 7.54.1

haxx libcurl 7.50.3

haxx libcurl 7.47.1

haxx libcurl 7.48.0

haxx libcurl 7.39

haxx libcurl 7.40.0

haxx libcurl 7.15.2

haxx libcurl 7.15.3

haxx libcurl 7.16.4

haxx libcurl 7.17.0

haxx libcurl 7.19.2

haxx libcurl 7.19.3

haxx libcurl 7.21.1

haxx libcurl 7.21.2

haxx libcurl 7.23.0

haxx libcurl 7.23.1

haxx libcurl 7.29.0

haxx libcurl 7.30.0

haxx libcurl 7.53.0

haxx libcurl 7.53.1

haxx libcurl 7.46.0

haxx libcurl 7.47.0

haxx libcurl 7.37.1

haxx libcurl 7.38.0

haxx libcurl 7.50.1

haxx libcurl 7.50.2

haxx libcurl 7.15.1

haxx libcurl 7.16.2

haxx libcurl 7.16.3

haxx libcurl 7.19.0

haxx libcurl 7.19.1

haxx libcurl 7.20.1

haxx libcurl 7.21.0

haxx libcurl 7.21.7

haxx libcurl 7.22.0

haxx libcurl 7.28.0

haxx libcurl 7.28.1

haxx libcurl 7.36.0

haxx libcurl 7.51.0

haxx libcurl 7.43.0

haxx libcurl 7.49.0

haxx libcurl 7.49.1

haxx libcurl 7.41.0

haxx libcurl 7.42.0

haxx libcurl 7.15.4

haxx libcurl 7.15.5

haxx libcurl 7.17.1

haxx libcurl 7.18.0

haxx libcurl 7.19.4

haxx libcurl 7.19.5

haxx libcurl 7.21.3

haxx libcurl 7.21.4

haxx libcurl 7.24.0

haxx libcurl 7.25.0

haxx libcurl 7.31.0

haxx libcurl 7.32.0

haxx libcurl 7.33.0

Vendor Advisories

Red Hat: Moderate: httpd24 security, bug fix, and enhancement update
Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...
Debian CVElist Bug Report Logs: curl: CVE-2017-1000101: URL globbing out of bounds read
Debian Bug report logs - #871554 curl: CVE-2017-1000101: URL globbing out of bounds read Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 9 Aug 2017 07:03:02 UTC Severity: important Tags: fixed-upstream, patch, secur ...
Debian CVElist Bug Report Logs: curl: CVE-2017-1000100: TFTP sends more than buffer size
Debian Bug report logs - #871555 curl: CVE-2017-1000100: TFTP sends more than buffer size Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 9 Aug 2017 07:09:01 UTC Severity: important Tags: fixed-upstream, patch, secu ...
Debian Security Advisories: DSA-3992-1 curl -- security update
Several vulnerabilities have been discovered in cURL, an URL transfer library The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-1000100 Even Rouault reported that cURL does not properly handle long file names when doing an TFTP upload A malicious HTTP(S) server can take advantage of this fla ...
Ubuntu Security Notice: curl vulnerabilities
Several security issues were fixed in curl ...
Ubuntu Security Notice: curl vulnerabilities
Several security issues were fixed in curl ...
Amazon Linux AMI: ALAS-2017-889
FILE buffer read out of bounds (CVE-2017-1000099) TFTP sends more than buffer size (CVE-2017-1000100) URL globbing out of bounds read (CVE-2017-1000101) ...
Red Hat: CVE-2017-1000100
When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length This too large value is then used in the sendto() call, making curl attempt to send ...
Arch Linux Issues:
An information disclosure issue has been found in curl < 7550 When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length This too large v ...

References

CWE-200https://security.gentoo.org/glsa/201709-14https://curl.haxx.se/docs/adv_20170809B.htmlhttp://www.securitytracker.com/id/1039118http://www.securityfocus.com/bid/100286http://www.debian.org/security/2017/dsa-3992https://support.apple.com/HT208221https://access.redhat.com/errata/RHSA-2018:3558https://access.redhat.com/errata/RHSA-2018:3558https://nvd.nist.govhttps://usn.ubuntu.com/3441-2/https://www.debian.org/security/./dsa-3992
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322cross-site request forgeryunauthorizedCVE-2024-33925reflected XSSCVE-2023-51580CVE-2023-51579CVE-2015-2051CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook