6.4
CVSSv2

CVE-2017-1000257

Published: 31/10/2017 Updated: 13/11/2018
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9
VMScore: 571
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Vulnerability Summary

An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

Vulnerability Trend

Vendor Advisories

Synopsis Moderate: curl security update Type/Severity Security Advisory: Moderate Topic An update for curl is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gi ...
curl could be made to crash or run programs if it received specially crafted network traffic ...
IMAP FETCH response out of bounds read:A buffer overrun flaw was found in the IMAP handler of libcurl By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application (CVE-2017-1000257 ) ...
A buffer overrun flaw was found in the IMAP handler of libcurl By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application ...
Arch Linux Security Advisory ASA-201711-6 ========================================= Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : curl Type : information disclosure Remote : Yes Link : securityarchlinuxorg/AVG-467 Summary ======= The package curl before version 7561-1 is vulnerable to information d ...
Arch Linux Security Advisory ASA-201711-11 ========================================== Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : libcurl-gnutls Type : information disclosure Remote : Yes Link : securityarchlinuxorg/AVG-462 Summary ======= The package libcurl-gnutls before version 7561-1 is vulne ...
Arch Linux Security Advisory ASA-201711-9 ========================================= Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : lib32-libcurl-gnutls Type : information disclosure Remote : Yes Link : securityarchlinuxorg/AVG-464 Summary ======= The package lib32-libcurl-gnutls before version 7561- ...
Arch Linux Security Advisory ASA-201711-8 ========================================= Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : lib32-libcurl-compat Type : information disclosure Remote : Yes Link : securityarchlinuxorg/AVG-465 Summary ======= The package lib32-libcurl-compat before version 7561- ...
Arch Linux Security Advisory ASA-201711-7 ========================================= Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : lib32-curl Type : information disclosure Remote : Yes Link : securityarchlinuxorg/AVG-466 Summary ======= The package lib32-curl before version 7561-1 is vulnerable to i ...
Arch Linux Security Advisory ASA-201711-10 ========================================== Severity: Medium Date : 2017-11-02 CVE-ID : CVE-2017-1000257 Package : libcurl-compat Type : information disclosure Remote : Yes Link : securityarchlinuxorg/AVG-463 Summary ======= The package libcurl-compat before version 7561-1 is vulne ...
Several security issues were fixed in curl ...
A heap buffer overrun flaw was found in the IMAP handler of libcurl >= 7200 and < 7561 An IMAP FETCH response line indicates the size of the returned data, in number of bytes When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function lib ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 packages for Microsoft Windows and Oracle Solaris are now availableRed Hat Product Security has rated this release ...
Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...
libcurl is vulnerable to a heap buffer out-of-bounds read The function handling incoming NTLM type-2 messages (`lib/vauth/ntlmc:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length ...
Oracle Solaris Third Party Bulletin - April 2018 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical ...
Oracle Linux Bulletin - October 2017 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical ...

Github Repositories

PoCs discovered through fuzzing which resulted in a CVE assignment.

CVE-2015-7700 Base Score: 98 CRITICAL Vector: CVSS:30/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Double-free vulnerability in the sPLT chunk structure and pngc in pngcrush before 1787 allows attackers to have unspecified impact via unknown vectors CVE-2016-9273 Base Score 55 MEDIUM Vector: CVSS:30/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H tiffsplit in libtiff 406 allows remote

some interesting cve

copyright (c) 2019, NESA Lab 涂鸦 espconn 提供连接方法,对lwip的封装 espressif 一些公用的函数 FreeRTOS 有13个CVE,但都是AWS上的FreeRTOS,应该是配置问题,不清楚ESP8266是否有类似问题 CVE-2018-16603 information leak CVE-2018-16522 remote code execution CVE-2018-16523 denial of service cJSON 涂鸦用的cJSON没有注明年份