curl 7.75.0 up to and including 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
haxx curl |
||
oracle mysql server |
||
oracle essbase |
||
oracle communications cloud native core network slice selection function 1.8.0 |
||
oracle communications cloud native core network repository function 1.15.0 |
||
oracle communications cloud native core network function cloud native environment 1.10.0 |
||
oracle communications cloud native core service communication proxy 1.15.0 |
||
oracle communications cloud native core network repository function 1.15.1 |
||
oracle communications cloud native core binding support function 1.11.0 |
||
netapp cloud backup - |
||
netapp snapcenter - |
||
netapp oncommand workflow automation - |
||
netapp oncommand insight - |
||
netapp solidfire \\& hci management node - |
||
netapp active iq unified manager - |
||
netapp solidfire baseboard management controller firmware - |
||
netapp solidfire\\, enterprise sds \\& hci storage node - |
||
netapp hci_compute_node_firmware - |
||
netapp h300e_firmware - |
||
netapp h300s_firmware - |
||
netapp h410s_firmware - |
||
netapp h500e_firmware - |
||
netapp h500s_firmware - |
||
netapp h700e_firmware - |
||
netapp h700s_firmware - |
||
siemens sinec infrastructure network services |
||
splunk universal forwarder 9.1.0 |
||
splunk universal forwarder |