ID CVE-2016-9586
Summary curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
References
Vulnerable Configurations
  • Haxx Curl 6.0
    cpe:2.3:a:haxx:curl:6.0
  • Haxx Curl 6.1
    cpe:2.3:a:haxx:curl:6.1
  • Haxx Curl 6.1 beta
    cpe:2.3:a:haxx:curl:6.1:beta
  • Haxx Curl 6.2
    cpe:2.3:a:haxx:curl:6.2
  • Haxx Curl 6.3
    cpe:2.3:a:haxx:curl:6.3
  • Haxx Curl 6.3.1
    cpe:2.3:a:haxx:curl:6.3.1
  • Haxx Curl 6.4
    cpe:2.3:a:haxx:curl:6.4
  • Haxx Curl 6.5
    cpe:2.3:a:haxx:curl:6.5
  • Haxx Curl 6.5.1
    cpe:2.3:a:haxx:curl:6.5.1
  • Haxx Curl 6.5.2
    cpe:2.3:a:haxx:curl:6.5.2
  • Haxx Curl 7.1
    cpe:2.3:a:haxx:curl:7.1
  • Haxx Curl 7.1.1
    cpe:2.3:a:haxx:curl:7.1.1
  • Haxx Curl 7.2
    cpe:2.3:a:haxx:curl:7.2
  • Haxx Curl 7.2.1
    cpe:2.3:a:haxx:curl:7.2.1
  • Haxx Curl 7.3
    cpe:2.3:a:haxx:curl:7.3
  • Haxx Curl 7.4
    cpe:2.3:a:haxx:curl:7.4
  • Haxx Curl 7.4.1
    cpe:2.3:a:haxx:curl:7.4.1
  • Haxx Curl 7.4.2
    cpe:2.3:a:haxx:curl:7.4.2
  • Haxx Curl 7.5
    cpe:2.3:a:haxx:curl:7.5
  • Haxx Curl 7.5.1
    cpe:2.3:a:haxx:curl:7.5.1
  • Haxx Curl 7.5.2
    cpe:2.3:a:haxx:curl:7.5.2
  • Haxx Curl 7.6
    cpe:2.3:a:haxx:curl:7.6
  • Haxx Curl 7.6.1
    cpe:2.3:a:haxx:curl:7.6.1
  • Haxx Curl 7.7
    cpe:2.3:a:haxx:curl:7.7
  • Haxx Curl 7.7.1
    cpe:2.3:a:haxx:curl:7.7.1
  • Haxx Curl 7.7.2
    cpe:2.3:a:haxx:curl:7.7.2
  • Haxx Curl 7.7.3
    cpe:2.3:a:haxx:curl:7.7.3
  • Haxx Curl 7.8
    cpe:2.3:a:haxx:curl:7.8
  • Haxx Curl 7.8.1
    cpe:2.3:a:haxx:curl:7.8.1
  • Haxx Curl 7.9
    cpe:2.3:a:haxx:curl:7.9
  • Haxx Curl 7.9.1
    cpe:2.3:a:haxx:curl:7.9.1
  • Haxx Curl 7.9.2
    cpe:2.3:a:haxx:curl:7.9.2
  • Haxx Curl 7.9.3
    cpe:2.3:a:haxx:curl:7.9.3
  • Haxx Curl 7.9.4
    cpe:2.3:a:haxx:curl:7.9.4
  • Haxx Curl 7.9.5
    cpe:2.3:a:haxx:curl:7.9.5
  • Haxx Curl 7.9.6
    cpe:2.3:a:haxx:curl:7.9.6
  • Haxx Curl 7.9.7
    cpe:2.3:a:haxx:curl:7.9.7
  • Haxx Curl 7.9.8
    cpe:2.3:a:haxx:curl:7.9.8
  • Haxx Curl 7.10
    cpe:2.3:a:haxx:curl:7.10
  • Haxx Curl 7.10.1
    cpe:2.3:a:haxx:curl:7.10.1
  • Haxx Curl 7.10.2
    cpe:2.3:a:haxx:curl:7.10.2
  • Haxx Curl 7.10.3
    cpe:2.3:a:haxx:curl:7.10.3
  • Haxx Curl 7.10.4
    cpe:2.3:a:haxx:curl:7.10.4
  • Haxx Curl 7.10.5
    cpe:2.3:a:haxx:curl:7.10.5
  • Haxx Curl 7.10.6
    cpe:2.3:a:haxx:curl:7.10.6
  • Haxx Curl 7.10.7
    cpe:2.3:a:haxx:curl:7.10.7
  • Haxx Curl 7.10.8
    cpe:2.3:a:haxx:curl:7.10.8
  • Haxx Curl 7.11.0
    cpe:2.3:a:haxx:curl:7.11.0
  • Haxx Curl 7.11.1
    cpe:2.3:a:haxx:curl:7.11.1
  • Haxx Curl 7.11.2
    cpe:2.3:a:haxx:curl:7.11.2
  • Haxx Curl 7.12.0
    cpe:2.3:a:haxx:curl:7.12.0
  • Haxx Curl 7.12.1
    cpe:2.3:a:haxx:curl:7.12.1
  • Haxx Curl 7.12.2
    cpe:2.3:a:haxx:curl:7.12.2
  • Haxx Curl 7.12.3
    cpe:2.3:a:haxx:curl:7.12.3
  • Haxx Curl 7.13.0
    cpe:2.3:a:haxx:curl:7.13.0
  • Haxx Curl 7.13.1
    cpe:2.3:a:haxx:curl:7.13.1
  • Haxx Curl 7.13.2
    cpe:2.3:a:haxx:curl:7.13.2
  • Haxx Curl 7.14.0
    cpe:2.3:a:haxx:curl:7.14.0
  • Haxx Curl 7.14.1
    cpe:2.3:a:haxx:curl:7.14.1
  • Haxx Curl 7.15.0
    cpe:2.3:a:haxx:curl:7.15.0
  • Haxx Curl 7.15.1
    cpe:2.3:a:haxx:curl:7.15.1
  • Haxx Curl 7.15.2
    cpe:2.3:a:haxx:curl:7.15.2
  • Haxx Curl 7.15.3
    cpe:2.3:a:haxx:curl:7.15.3
  • Haxx Curl 7.15.4
    cpe:2.3:a:haxx:curl:7.15.4
  • Haxx Curl 7.15.5
    cpe:2.3:a:haxx:curl:7.15.5
  • Haxx Curl 7.16.0
    cpe:2.3:a:haxx:curl:7.16.0
  • Haxx Curl 7.16.1
    cpe:2.3:a:haxx:curl:7.16.1
  • Haxx Curl 7.16.2
    cpe:2.3:a:haxx:curl:7.16.2
  • Haxx Curl 7.16.3
    cpe:2.3:a:haxx:curl:7.16.3
  • Haxx Curl 7.16.4
    cpe:2.3:a:haxx:curl:7.16.4
  • Haxx Curl 7.17.0
    cpe:2.3:a:haxx:curl:7.17.0
  • Haxx Curl 7.17.1
    cpe:2.3:a:haxx:curl:7.17.1
  • Haxx Curl 7.18.0
    cpe:2.3:a:haxx:curl:7.18.0
  • Haxx Curl 7.18.1
    cpe:2.3:a:haxx:curl:7.18.1
  • Haxx Curl 7.18.2
    cpe:2.3:a:haxx:curl:7.18.2
  • Haxx Curl 7.19.0
    cpe:2.3:a:haxx:curl:7.19.0
  • Haxx Curl 7.19.1
    cpe:2.3:a:haxx:curl:7.19.1
  • Haxx Curl 7.19.2
    cpe:2.3:a:haxx:curl:7.19.2
  • Haxx Curl 7.19.3
    cpe:2.3:a:haxx:curl:7.19.3
  • Haxx Curl 7.19.4
    cpe:2.3:a:haxx:curl:7.19.4
  • Haxx Curl 7.19.5
    cpe:2.3:a:haxx:curl:7.19.5
  • Haxx Curl 7.19.6
    cpe:2.3:a:haxx:curl:7.19.6
  • Haxx Curl 7.19.7
    cpe:2.3:a:haxx:curl:7.19.7
  • Haxx Curl 7.20.0
    cpe:2.3:a:haxx:curl:7.20.0
  • Haxx Curl 7.20.1
    cpe:2.3:a:haxx:curl:7.20.1
  • Haxx Curl 7.21.0
    cpe:2.3:a:haxx:curl:7.21.0
  • Haxx Curl 7.21.1
    cpe:2.3:a:haxx:curl:7.21.1
  • Haxx Curl 7.21.2
    cpe:2.3:a:haxx:curl:7.21.2
  • Haxx Curl 7.21.3
    cpe:2.3:a:haxx:curl:7.21.3
  • Haxx Curl 7.21.4
    cpe:2.3:a:haxx:curl:7.21.4
  • Haxx Curl 7.21.5
    cpe:2.3:a:haxx:curl:7.21.5
  • Haxx Curl 7.21.6
    cpe:2.3:a:haxx:curl:7.21.6
  • Haxx Curl 7.21.7
    cpe:2.3:a:haxx:curl:7.21.7
  • Haxx Curl 7.22.0
    cpe:2.3:a:haxx:curl:7.22.0
  • Haxx Curl 7.23.0
    cpe:2.3:a:haxx:curl:7.23.0
  • Haxx Curl 7.23.1
    cpe:2.3:a:haxx:curl:7.23.1
  • Haxx Curl 7.24.0
    cpe:2.3:a:haxx:curl:7.24.0
  • Haxx Curl 7.25.0
    cpe:2.3:a:haxx:curl:7.25.0
  • Haxx Curl 7.26.0
    cpe:2.3:a:haxx:curl:7.26.0
  • Haxx Curl 7.27.0
    cpe:2.3:a:haxx:curl:7.27.0
  • Haxx Curl 7.28.0
    cpe:2.3:a:haxx:curl:7.28.0
  • Haxx Curl 7.28.1
    cpe:2.3:a:haxx:curl:7.28.1
  • Haxx Curl 7.29.0
    cpe:2.3:a:haxx:curl:7.29.0
  • Haxx Curl 7.30.0
    cpe:2.3:a:haxx:curl:7.30.0
  • Haxx Curl 7.31.0
    cpe:2.3:a:haxx:curl:7.31.0
  • Haxx Curl 7.32.0
    cpe:2.3:a:haxx:curl:7.32.0
  • Haxx Curl 7.33.0
    cpe:2.3:a:haxx:curl:7.33.0
  • Haxx Curl 7.34.0
    cpe:2.3:a:haxx:curl:7.34.0
  • Haxx Curl 7.35.0
    cpe:2.3:a:haxx:curl:7.35.0
  • Haxx Curl 7.36.0
    cpe:2.3:a:haxx:curl:7.36.0
  • Haxx Curl 7.37.0
    cpe:2.3:a:haxx:curl:7.37.0
  • Haxx Curl 7.37.1
    cpe:2.3:a:haxx:curl:7.37.1
  • Haxx Curl 7.38.0
    cpe:2.3:a:haxx:curl:7.38.0
  • Haxx Curl 7.39.0
    cpe:2.3:a:haxx:curl:7.39.0
  • Haxx Curl 7.40.0
    cpe:2.3:a:haxx:curl:7.40.0
  • Haxx Curl 7.41.0
    cpe:2.3:a:haxx:curl:7.41.0
  • Haxx Curl 7.42.0
    cpe:2.3:a:haxx:curl:7.42.0
  • Haxx Curl 7.42.1
    cpe:2.3:a:haxx:curl:7.42.1
  • Haxx Curl 7.43.0
    cpe:2.3:a:haxx:curl:7.43.0
  • Haxx Curl 7.44.0
    cpe:2.3:a:haxx:curl:7.44.0
  • Haxx Curl 7.45.0
    cpe:2.3:a:haxx:curl:7.45.0
  • Haxx Curl 7.46.0
    cpe:2.3:a:haxx:curl:7.46.0
  • Haxx Curl 7.47.0
    cpe:2.3:a:haxx:curl:7.47.0
  • Haxx Curl 7.47.1
    cpe:2.3:a:haxx:curl:7.47.1
  • Haxx Curl 7.48.0
    cpe:2.3:a:haxx:curl:7.48.0
  • Haxx Curl 7.49.0
    cpe:2.3:a:haxx:curl:7.49.0
  • Haxx Curl 7.49.1
    cpe:2.3:a:haxx:curl:7.49.1
  • Haxx Curl 7.50.0
    cpe:2.3:a:haxx:curl:7.50.0
  • Haxx Curl 7.50.1
    cpe:2.3:a:haxx:curl:7.50.1
  • Haxx Curl 7.50.2
    cpe:2.3:a:haxx:curl:7.50.2
  • Haxx Curl 7.50.3
    cpe:2.3:a:haxx:curl:7.50.3
  • Haxx Curl 7.51.0
    cpe:2.3:a:haxx:curl:7.51.0
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
nessus via4
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1330.NASL
    description According to the versions of the curl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586) - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e 7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254) - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.(CVE-2017-8817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 118418
    published 2018-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118418
    title EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1330)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-513.NASL
    description This update for curl fixes the following issues : Security issue fixed : - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-09-04
    plugin id 99702
    published 2017-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99702
    title openSUSE Security Update : curl (openSUSE-2017-513)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-EDBB33AB2E.NASL
    description - fix floating point buffer overflow issues (CVE-2016-9586) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 96160
    published 2016-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96160
    title Fedora 25 : curl (2016-edbb33ab2e)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1042-1.NASL
    description This update for curl fixes the following issues: Security issue fixed : - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). With this release new default ciphers are active (SUSE_DEFAULT, bsc#1027712). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99464
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99464
    title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2017:1042-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-767.NASL
    description It was discovered that libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. The flaw happens because the floating point conversion is using system functions without the correct boundary checks. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. This flaw does not exist in the command line tool. For Debian 7 'Wheezy', these problems have been fixed in version 7.26.0-1+wheezy18. We recommend that you upgrade your curl packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 96183
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96183
    title Debian DLA-767-1 : curl security update
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-806.NASL
    description libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks. This flaw does not exist in the command line tool.
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 97896
    published 2017-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97896
    title Amazon Linux AMI : curl (ALAS-2017-806)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1203.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110867
    published 2018-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110867
    title EulerOS 2.0 SP3 : curl (EulerOS-SA-2018-1203)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1043-1.NASL
    description This update for curl fixes the following issues: These security issues were fixed : - CVE-2016-9586: libcurl printf floating point buffer overflow (bsc#1015332) - CVE-2017-7407: The ourWriteOut function in tool_writeout.c in curl might have allowed physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a --write-out argument ending in a '%' character, which lead to a heap-based buffer over-read (bsc#1032309). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 99465
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99465
    title SUSE SLES11 Security Update : curl (SUSE-SU-2017:1043-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_12_4.NASL
    description The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows : - apache - apache_mod_php - AppleGraphicsPowerManagement - AppleRAID - Audio - Bluetooth - Carbon - CoreGraphics - CoreMedia - CoreText - curl - EFI - FinderKit - FontParser - HTTPProtocol - Hypervisor - iBooks - ImageIO - Intel Graphics Driver - IOATAFamily - IOFireWireAVC - IOFireWireFamily - Kernel - Keyboards - libarchive - libc++abi - LibreSSL - MCX Client - Menus - Multi-Touch - OpenSSH - OpenSSL - Printing - python - QuickTime - Security - SecurityFoundation - sudo - System Integrity Protection - tcpdump - tiffutil - WebKit
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 99134
    published 2017-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99134
    title macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1202.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110866
    published 2018-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110866
    title EulerOS 2.0 SP2 : curl (EulerOS-SA-2018-1202)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1568.NASL
    description Several vulnerabilities were discovered in cURL, an URL transfer library. CVE-2016-7141 When built with NSS and the libnsspem.so library is available at runtime, allows an remote attacker to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. CVE-2016-7167 Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow. CVE-2016-9586 Curl is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any applications that accept a format string from the outside without necessary input filtering, it could allow remote attacks. CVE-2018-16839 Curl is vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. CVE-2018-16842 Curl is vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service. For Debian 8 'Jessie', these problems have been fixed in version 7.38.0-4+deb8u13. We recommend that you upgrade your curl packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-07
    plugin id 118753
    published 2018-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118753
    title Debian DLA-1568-1 : curl security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-86D2B5AEFB.NASL
    description - fix floating point buffer overflow issues (CVE-2016-9586) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 96209
    published 2017-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96209
    title Fedora 24 : curl (2016-86d2b5aefb)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_42880202C81C11E6A9A5B499BAEBFEAF.NASL
    description The cURL project reports : printf floating point buffer overflow libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96086
    published 2016-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96086
    title FreeBSD : cURL -- buffer overflow (42880202-c81c-11e6-a9a5-b499baebfeaf)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-47.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-47 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers and bug reports referenced for details. Impact : Remote attackers could conduct a Man-in-the-Middle attack to obtain sensitive information, cause a Denial of Service condition, or execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-01-20
    plugin id 96644
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96644
    title GLSA-201701-47 : cURL: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2312-1.NASL
    description This update for curl fixes the following issues : - CVE-2017-1000100: TFP sends more than buffer size and it could lead to a denial of service (bsc#1051644) - CVE-2017-7407: ourWriteOut function problem could lead to a heap buffer over-read (bsc#1032309) - CVE-2016-9586: libcurl printf issue could lead to buffer overflow (bsc#1015332) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102910
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102910
    title SUSE SLES11 Security Update : curl (SUSE-SU-2017:2312-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2017-003.NASL
    description The remote host is running Mac OS X 10.10.5, Mac OS X 10.11.6, or macOS 10.12.5 and is missing a security update. It is therefore, affected by multiple vulnerabilities : - An overflow condition exists in the curl component in the dprintf_formatf() function that is triggered when handling floating point conversion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-9586) - A flaw exits in the curl component in the randit() function within file lib/rand.c due to improper initialization of the 32-bit random value, which is used, for example, to generate Digest and NTLM authentication nonces, resulting in weaker cryptographic operations than expected. (CVE-2016-9594) - A flaw exists in the curl component in the allocate_conn() function in lib/url.c when using the OCSP stapling feature for checking a X.509 certificate revocation status. The issue is triggered as the request option for OCSP stapling is not properly passed to the TLS library, resulting in no error being returned even when no proof of the validity of the certificate could be provided. A man-in-the-middle attacker can exploit this to provide a revoked certificate. (CVE-2017-2629) - A remote code execution vulnerability exists in the CoreAudio component due to improper validation of user-supplied input when handling movie files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted movie file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7008) - A memory corruption issue exists in the IOUSBFamily component due to improper validation of user-supplied input. A local attacker can exploit this, via a specially crafted application, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7009) - Multiple out-of-bounds read errors exist in the libxml2 component due to improper handling of specially crafted XML documents. An unauthenticated, remote attacker can exploit these to disclose user information. (CVE-2017-7010, CVE-2017-7013) - Multiple memory corruption issues exist in the Intel Graphics Driver component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with elevated privileges. (CVE-2017-7014, CVE-2017-7017, CVE-2017-7035, CVE-2017-7044) - A remote code execution vulnerability exists in the Audio component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit this, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7015) - Multiple remote code execution vulnerabilities exist in the afclip component due to improper validation of user-supplied input when handling audio files. An unauthenticated, remote attacker can exploit these vulnerabilities, by convincing a user to play a specially crafted audio file, to execute arbitrary code. (CVE-2017-7016, CVE-2017-7033) - A memory corruption issue exists in the AppleGraphicsPowerManagement component due to improper validation of input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7021) - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7022, CVE-2017-7024, CVE-2017-7026) - Multiple memory corruption issues exist in the kernel due to improper validation of input. A local attacker can exploit these issues to cause a denial of service condition or the execution of arbitrary code with kernel privileges. (CVE-2017-7023, CVE-2017-7025, CVE-2017-7027, CVE-2017-7069) - Multiple unspecified flaws exist in the kernel due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7028, CVE-2017-7029, CVE-2017-7067) - A flaw exists in the Foundation component due to improper validation of input. A unauthenticated, remote attacker can exploit this, by convincing a user to open specially crafted file, to execute arbitrary code. (CVE-2017-7031) - A memory corruption issue exists in the 'kext tools' component due to improper validation of input. A local attacker can exploit this to execute arbitrary code with elevated privileges. (CVE-2017-7032) - Multiple unspecified flaws exist in the Intel Graphics Driver component due to a failure to properly sanitize input. A local attacker can exploit these issues, via a specially crafted application, to disclose restricted memory contents. (CVE-2017-7036, CVE-2017-7045) - A memory corruption issue exists in the libxpc component due to improper validation of input. A local attacker can exploit this issue, via a specifically crafted application, to cause a denial of service condition or the execution of arbitrary code with system privileges. (CVE-2017-7047) - Multiple memory corruption issues exist in the Bluetooth component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2017-7050, CVE-2017-7051) - A memory corruption issue exists in the Bluetooth component due to improper validation of input. A local attacker can exploit these issues to execute arbitrary code with system privileges. (CVE-2017-7054) - A buffer overflow condition exists in the Contacts component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7062) - A buffer overflow condition exists in the libarchive component due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted archive file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-7068) - A certificate validation bypass vulnerability exists in the curl component due to the program attempting to resume TLS sessions even if the client certificate fails. An unauthenticated, remote attacker can exploit this to bypass validation mechanisms. (CVE-2017-7468) - A memory corruption issue exists in the Broadcom BCM43xx family Wi-Fi Chips component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-9417)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 101957
    published 2017-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101957
    title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3441-1.NASL
    description Daniel Stenberg discovered that curl incorrectly handled large floating point output. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9586) Even Rouault discovered that curl incorrectly handled large file names when doing TFTP transfers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000100) Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled numerical range globbing. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000101) Max Dymond discovered that curl incorrectly handled FTP PWD responses. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service. (CVE-2017-1000254) Brian Carpenter discovered that curl incorrectly handled the --write-out command line option. A local attacker could possibly use this issue to obtain sensitive memory contents. (CVE-2017-7407). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 103773
    published 2017-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103773
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : curl vulnerabilities (USN-3441-1)
redhat via4
advisories
rhsa
id RHSA-2018:3558
refmap via4
bid 95019
confirm
gentoo GLSA-201701-47
misc https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9586
mlist [debian-lts-announce] 20181106 [SECURITY] [DLA 1568-1] curl security update
sectrack 1037515
Last major update 23-04-2018 - 14:29
Published 23-04-2018 - 14:29
Last modified 13-11-2018 - 06:29
Back to Top