Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Curl
(Haxx)| Repositories |
• https://github.com/curl/curl
• https://github.com/bagder/curl |
| #Vulnerabilities | 109 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2014-04-18 | CVE-2014-2522 | curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. | Curl, Libcurl | N/A | ||
| 2014-04-15 | CVE-2014-0139 | cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. | Curl, Libcurl | N/A | ||
| 2014-04-15 | CVE-2014-0138 | The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. | Debian_linux, Curl, Libcurl | N/A | ||
| 2014-02-01 | CVE-2014-0015 | cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. | Curl, Libcurl | N/A | ||
| 2013-11-23 | CVE-2013-4545 | cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | Curl, Libcurl | N/A | ||
| 2013-07-31 | CVE-2013-2174 | Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character. | Ubuntu_linux, Curl, Libcurl, Opensuse, Enterprise_linux | N/A | ||
| 2013-04-29 | CVE-2013-1944 | The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. | Ubuntu_linux, Curl, Libcurl | N/A | ||
| 2013-03-08 | CVE-2013-0249 | Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. | Ubuntu_linux, Curl, Libcurl | N/A | ||
| 2018-08-23 | CVE-2003-1605 | curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. | Curl | 7.5 |