Published: 29/11/2017 Updated: 13/11/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 670

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The FTP wildcard function in curl and libcurl prior to 7.57.0 allows remote malicious users to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx curl
haxx libcurl
debian debian linux 8.0
debian debian linux 9.0

Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...

curl could be made to crash if it received specially crafted input ...

Several security issues were fixed in curl ...

Two vulnerabilities were discovered in cURL, an URL transfer library CVE-2017-8816 Alex Nichols discovered a buffer overrun flaw in the NTLM authentication code which can be triggered on 32bit systems where an integer overflow might occur when calculating the size of a memory allocation CVE-2017-8817 Fuzzing by the OSS-Fuzz proje ...

The NTLM authentication feature in curl and libcurl before 7570 on 32-bit platforms allows attackers to cause a denial of service (integer overflow and resultant buffer overflow, and application crash) or possibly have unspecified other impact via vectors involving long user and password fields (CVE-2017-8816) The FTP wildcard function in curl a ...

libcurl is vulnerable to a heap buffer out-of-bounds read The function handling incoming NTLM type-2 messages (`lib/vauth/ntlmc:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length ...

The FTP wildcard function in curl and libcurl before 7570 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character ...

A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7210 and < 7570 libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one The built-in wildcard function has a flaw that makes it not detect the end of th ...

CWE-125 https://curl.haxx.se/docs/adv_2017-ae72.html https://www.debian.org/security/2017/dsa-4051 http://www.securitytracker.com/id/1039897 http://security.cucumberlinux.com/security/details.php?id=162 http://www.securityfocus.com/bid/102057 https://security.gentoo.org/glsa/201712-04 https://lists.debian.org/debian-lts-announce/2017/11/msg00040.html https://access.redhat.com/errata/RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558 https://nvd.nist.gov https://usn.ubuntu.com/3498-2/

CVE-2017-8817

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect