Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.8
CVSSv3

CVE-2019-5443

Published: 02/07/2019 Updated: 03/11/2021
CVSS v2 Base Score: 4.4 | Impact Score: 6.4 | Exploitability Score: 3.4
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 392
Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Haxx

Vulnerability Summary

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

haxx curl

oracle enterprise manager ops center 12.3.3

oracle enterprise manager ops center 12.4.0

oracle http server 12.2.1.3.0

oracle http server 12.2.1.4.0

oracle mysql server

oracle oss support tools 20.0

netapp oncommand insight -

netapp oncommand unified manager

netapp oncommand workflow automation -

netapp snapcenter -

Vendor Advisories

PostgreSQL CVE: CVE-2019-10211
When the database server or libpq client library initializes SSL, libeay32dll attempts to read configuration from a hard-coded directory Typically, the directory does not exist, but any local user could create it and inject configuration This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL s ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

Mailing Lists

Full Disclosure: curl: Windows OpenSSL engine code injection
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> curl: Windows OpenSSL engine code injection <!--X-Subject-Header-End--> <!--X-Head-of-Message--> From: Daniel Stenberg &lt;d ...

Github Repositories

https://github.com/EmilioBerlanda/cURL

Automated, reproducible, transparent, Windows builds for curl, nghttp2, brotli, libssh2 and OpenSSL 11 SECURITY NOTICE: It is strongly recommended to upgrade to curl 7651_2 and OpenSSL 111c_2, released on 2019-06-20, or newer Previous releases were discovered to have a code injection (and potential privilege escalation) vulnerability triggered via OpenSSL's build co

References

CWE-427http://www.openwall.com/lists/oss-security/2019/06/24/1https://curl.haxx.se/docs/CVE-2019-5443.htmlhttp://www.securityfocus.com/bid/108881https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://security.netapp.com/advisory/ntap-20191017-0002/https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://nvd.nist.govhttps://github.com/EmilioBerlanda/cURLhttp://seclists.org/oss-sec/2019/q2/196https://www.postgresql.org/support/security/CVE-2019-10211/https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook