Published: 31/10/2017 Updated: 13/11/2018

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9

VMScore: 571

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

An IMAP FETCH response line indicates the size of the returned data, in number of bytes. When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function. libcurl's deliver-data function treats zero as a magic number and invokes strlen() on the data to figure out the length. The strlen() is called on a heap based buffer that might not be zero terminated so libcurl might read beyond the end of it into whatever memory lies after (or just crash) and then deliver that to the application as if it was actually downloaded.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx libcurl
debian debian linux 9.0
debian debian linux 8.0

Synopsis Moderate: curl security update Type/Severity Security Advisory: Moderate Topic An update for curl is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gi ...

Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 packages for Microsoft Windows and Oracle Solaris are now availableRed Hat Product Security has rated this release ...

Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...

curl could be made to crash or run programs if it received specially crafted network traffic ...

Several security issues were fixed in curl ...

IMAP FETCH response out of bounds read:A buffer overrun flaw was found in the IMAP handler of libcurl By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application (CVE-2017-1000257) ...

libcurl is vulnerable to a heap buffer out-of-bounds read The function handling incoming NTLM type-2 messages (`lib/vauth/ntlmc:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length ...

A buffer overrun flaw was found in the IMAP handler of libcurl By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application ...

A heap buffer overrun flaw was found in the IMAP handler of libcurl >= 7200 and < 7561 An IMAP FETCH response line indicates the size of the returned data, in number of bytes When that response says the data is zero bytes, libcurl would pass on that (non-existing) data with a pointer and the size (zero) to the deliver-data function lib ...

CWE-119 https://curl.haxx.se/docs/adv_20171023.html http://www.securitytracker.com/id/1039644 http://www.securityfocus.com/bid/101519 http://www.debian.org/security/2017/dsa-4007 https://access.redhat.com/errata/RHSA-2017:3263 https://security.gentoo.org/glsa/201712-04 https://access.redhat.com/errata/RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:3558 https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2017:3263 https://usn.ubuntu.com/3457-1/

CVE-2017-1000257

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect