ID CVE-2018-1000007
Summary libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequent hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
References
Vulnerable Configurations
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:esm
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 17.10
    cpe:2.3:o:canonical:ubuntu_linux:17.10
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
nessus via4
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1401.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.(CVE-2018-1000007) - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.(CVE-2017-1000100) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-10
    plugin id 119529
    published 2018-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119529
    title EulerOS 2.0 SP3 : curl (EulerOS-SA-2018-1401)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0108.NASL
    description An update of 'postgresql', 'curl' packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111919
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111919
    title Photon OS 1.0: Curl / Postgresql PHSA-2018-1.0-0108 (deprecated)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20181030_CURL_AND_NSS_PEM_ON_SL7_X.NASL
    description Security Fix(es) : - curl: HTTP authentication leak in redirects (CVE-2018-1000007) - curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) - curl: RTSP RTP buffer over-read (CVE-2018-1000122) - curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) - curl: LDAP NULL pointer dereference (CVE-2018-1000121)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 119180
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119180
    title Scientific Linux Security Update : curl and nss-pem on SL7.x x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2019-1139.NASL
    description The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. This update contains fixes related to CURL security updates, specifically updating an object ID when reusing a certificate
    last seen 2019-02-21
    modified 2019-01-10
    plugin id 121048
    published 2019-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121048
    title Amazon Linux 2 : nss-pem (ALAS-2019-1139)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-98.NASL
    description This update for curl fixes one issues. This security issue was fixed : - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-02-20
    plugin id 106433
    published 2018-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106433
    title openSUSE Security Update : curl (openSUSE-2018-98)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0217-1.NASL
    description This update for curl fixes one issues. This security issue was fixed : - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106346
    published 2018-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106346
    title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2018:0217-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201804-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-201804-04 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 108925
    published 2018-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108925
    title GLSA-201804-04 : cURL: Multiple vulnerabilities
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-024-01.NASL
    description New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-01
    modified 2018-02-20
    plugin id 106309
    published 2018-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106309
    title Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2018-024-01)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0016_CURL.NASL
    description An update of the curl package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121916
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121916
    title Photon OS 2.0: Curl PHSA-2018-2.0-0016
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0108_CURL.NASL
    description An update of the curl package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121808
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121808
    title Photon OS 1.0: Curl PHSA-2018-1.0-0108
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2019-1002.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.(CVE-2018-1000007) - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.(CVE-2017-1000100) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-08
    plugin id 120990
    published 2019-01-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120990
    title EulerOS 2.0 SP5 : curl (EulerOS-SA-2019-1002)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-85655B12B6.NASL
    description - http2: fix incorrect trailer buffer size (CVE-2018-1000005) - http: prevent custom Authorization headers in redirects (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-20
    plugin id 106517
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106517
    title Fedora 26 : curl (2018-85655b12b6)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1427.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that curl and libcurl might send their Authentication header to a third party HTTP server upon receiving an HTTP REDIRECT reply. This could leak authentication token to external entities.(CVE-2018-1000007) - When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name is truncated to fit within the buffer boundaries, but the buffer size is still wrongly updated to use the untruncated length. This too large value is then used in the sendto() call, making curl attempt to send more data than what is actually put into the buffer. The endto() function will then read beyond the end of the heap based buffer. A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. Limit curl's redirect protocols with --proto-redir and libcurl's with CURLOPT_REDIR_PROTOCOLS.(CVE-2017-1000100) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 119916
    published 2018-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119916
    title EulerOS 2.0 SP2 : curl (EulerOS-SA-2018-1427)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3554-1.NASL
    description It was discovered that curl incorrectly handled certain data. An attacker could possibly use this to cause a denial of service or even to get access to sensitive data. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. It was discovered that curl could accidentally leak authentication data. An attacker could possibly use this to get access to sensitive information. (CVE-2018-1000007). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106558
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106558
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : curl vulnerabilities (USN-3554-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1263.NASL
    description Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects. For Debian 7 'Wheezy', these problems have been fixed in version 7.26.0-1+wheezy24. We recommend that you upgrade your curl packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 106464
    published 2018-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106464
    title Debian DLA-1263-1 : curl security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4098.NASL
    description Two vulnerabilities were discovered in cURL, an URL transfer library. - CVE-2018-1000005 Zhouyihai Ding discovered an out-of-bounds read in the code handling HTTP/2 trailers. This issue doesn't affect the oldstable distribution (jessie). - CVE-2018-1000007 Craig de Stigter discovered that authentication data might be leaked to third parties when following HTTP redirects.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 106412
    published 2018-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106412
    title Debian DSA-4098-1 : curl - security update
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-951.NASL
    description HTTP authentication leak in redirects libcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. (CVE-2018-1000007) Out-of-bounds read in code handling HTTP/2 trailers libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. (CVE-2018-1000005)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 109122
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109122
    title Amazon Linux 2 : curl (ALAS-2018-951)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-3157.NASL
    description An update for curl and nss-pem is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es) : * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 118996
    published 2018-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118996
    title CentOS 7 : curl / nss-pem (CESA-2018:3157)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-3157.NASL
    description An update for curl and nss-pem is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es) : * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 118532
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118532
    title RHEL 7 : curl and nss-pem (RHSA-2018:3157)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0230-1.NASL
    description This update for curl several issues. This security issue was fixed : - CVE-2018-1000007: Prevent leaking authentication data to third parties when following redirects (bsc#1077001) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 106435
    published 2018-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106435
    title SUSE SLES11 Security Update : curl (SUSE-SU-2018:0230-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-241A5A2409.NASL
    description - http2: fix incorrect trailer buffer size (CVE-2018-1000005) - http: prevent custom Authorization headers in redirects (CVE-2018-1000007) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-20
    plugin id 106510
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106510
    title Fedora 27 : curl (2018-241a5a2409)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-951.NASL
    description Out-of-bounds read in code handling HTTP/2 trailers : libcurl contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like `:` to the target buffer, while this was recently changed to `: ` (a space was added after the colon) but the following math wasn't updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something. (CVE-2018-1000005) HTTP authentication leak in redirects : libcurl might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request. (CVE-2018-1000007)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 106930
    published 2018-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106930
    title Amazon Linux AMI : curl (ALAS-2018-951)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_0CBF0FA6DCB7469CB87AF94CFFD94583.NASL
    description The cURL project reports : libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 106424
    published 2018-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106424
    title FreeBSD : cURL -- Multiple vulnerabilities (0cbf0fa6-dcb7-469c-b87a-f94cffd94583)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-3157.NASL
    description From Red Hat Security Advisory 2018:3157 : An update for curl and nss-pem is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es) : * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-07
    plugin id 118775
    published 2018-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118775
    title Oracle Linux 7 : curl / nss-pem (ELSA-2018-3157)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0016.NASL
    description An update of {'linux', 'curl', 'binutils', 'postgresql', 'libtiff'} packages of Photon OS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111286
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111286
    title Photon OS 2.0 : Linux / Postgresql / Binutils / Curl / Libtiff (PhotonOS-PHSA-2018-2.0-0016) (deprecated)
redhat via4
advisories
  • rhsa
    id RHBA-2019:0327
  • rhsa
    id RHSA-2018:3157
  • rhsa
    id RHSA-2018:3558
rpms
  • curl-0:7.29.0-51.el7
  • libcurl-0:7.29.0-51.el7
  • libcurl-devel-0:7.29.0-51.el7
  • nss-pem-0:1.0.3-5.el7
refmap via4
confirm https://curl.haxx.se/docs/adv_2018-b3bf.html
debian DSA-4098
mlist [debian-lts-announce] 20180129 [SECURITY] [DLA 1263-1] curl security update
sectrack 1040274
ubuntu
  • USN-3554-1
  • USN-3554-2
Last major update 24-01-2018 - 17:29
Published 24-01-2018 - 17:29
Last modified 26-04-2019 - 08:41
Back to Top