curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `ur%20[0-60000000000000000000`.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
haxx curl 7.39.0 |
||
haxx curl 7.4.1 |
||
haxx curl 7.46.0 |
||
haxx curl 7.47.0 |
||
haxx curl 7.50.2 |
||
haxx curl 7.50.3 |
||
haxx curl 7.54.1 |
||
haxx curl 7.55.0 |
||
haxx curl 7.35.0 |
||
haxx curl 7.40.0 |
||
haxx curl 7.41.0 |
||
haxx curl 7.47.1 |
||
haxx curl 7.48.0 |
||
haxx curl 7.51.0 |
||
haxx curl 7.52.0 |
||
haxx curl 7.37.1 |
||
haxx curl 7.38.0 |
||
haxx curl 7.44.0 |
||
haxx curl 7.45.0 |
||
haxx curl 7.50.0 |
||
haxx curl 7.50.1 |
||
haxx curl 7.53.1 |
||
haxx curl 7.54.0 |
||
haxx curl 7.36.0 |
||
haxx curl 7.37.0 |
||
haxx curl 7.42.0 |
||
haxx curl 7.42.1 |
||
haxx curl 7.43.0 |
||
haxx curl 7.49.0 |
||
haxx curl 7.49.1 |
||
haxx curl 7.52.1 |
||
haxx curl 7.53.0 |
Vulmon