ID CVE-2018-1000122
Summary A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage
References
Vulnerable Configurations
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Canonical Ubuntu Linux 12.04 ESM (Extended Security Maintenance)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:esm
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 17.10
    cpe:2.3:o:canonical:ubuntu_linux:17.10
  • Haxx Curl 7.20.0
    cpe:2.3:a:haxx:curl:7.20.0
  • Haxx Curl 7.20.1
    cpe:2.3:a:haxx:curl:7.20.1
  • Haxx Curl 7.21.0
    cpe:2.3:a:haxx:curl:7.21.0
  • Haxx Curl 7.21.1
    cpe:2.3:a:haxx:curl:7.21.1
  • Haxx Curl 7.21.2
    cpe:2.3:a:haxx:curl:7.21.2
  • Haxx Curl 7.21.3
    cpe:2.3:a:haxx:curl:7.21.3
  • Haxx Curl 7.21.4
    cpe:2.3:a:haxx:curl:7.21.4
  • Haxx Curl 7.21.5
    cpe:2.3:a:haxx:curl:7.21.5
  • Haxx Curl 7.21.6
    cpe:2.3:a:haxx:curl:7.21.6
  • Haxx Curl 7.21.7
    cpe:2.3:a:haxx:curl:7.21.7
  • Haxx Curl 7.22.0
    cpe:2.3:a:haxx:curl:7.22.0
  • Haxx Curl 7.23.0
    cpe:2.3:a:haxx:curl:7.23.0
  • Haxx Curl 7.23.1
    cpe:2.3:a:haxx:curl:7.23.1
  • Haxx Curl 7.24.0
    cpe:2.3:a:haxx:curl:7.24.0
  • Haxx Curl 7.25.0
    cpe:2.3:a:haxx:curl:7.25.0
  • Haxx Curl 7.26.0
    cpe:2.3:a:haxx:curl:7.26.0
  • Haxx Curl 7.27.0
    cpe:2.3:a:haxx:curl:7.27.0
  • Haxx Curl 7.28.0
    cpe:2.3:a:haxx:curl:7.28.0
  • Haxx Curl 7.28.1
    cpe:2.3:a:haxx:curl:7.28.1
  • Haxx Curl 7.29.0
    cpe:2.3:a:haxx:curl:7.29.0
  • Haxx Curl 7.30.0
    cpe:2.3:a:haxx:curl:7.30.0
  • Haxx Curl 7.31.0
    cpe:2.3:a:haxx:curl:7.31.0
  • Haxx Curl 7.32.0
    cpe:2.3:a:haxx:curl:7.32.0
  • Haxx Curl 7.33.0
    cpe:2.3:a:haxx:curl:7.33.0
  • Haxx Curl 7.34.0
    cpe:2.3:a:haxx:curl:7.34.0
  • Haxx Curl 7.35.0
    cpe:2.3:a:haxx:curl:7.35.0
  • Haxx Curl 7.36.0
    cpe:2.3:a:haxx:curl:7.36.0
  • Haxx Curl 7.37.0
    cpe:2.3:a:haxx:curl:7.37.0
  • Haxx Curl 7.37.1
    cpe:2.3:a:haxx:curl:7.37.1
  • Haxx Curl 7.38.0
    cpe:2.3:a:haxx:curl:7.38.0
  • Haxx Curl 7.39.0
    cpe:2.3:a:haxx:curl:7.39.0
  • Haxx Curl 7.40.0
    cpe:2.3:a:haxx:curl:7.40.0
  • Haxx Curl 7.41.0
    cpe:2.3:a:haxx:curl:7.41.0
  • Haxx Curl 7.42.0
    cpe:2.3:a:haxx:curl:7.42.0
  • Haxx Curl 7.42.1
    cpe:2.3:a:haxx:curl:7.42.1
  • Haxx Curl 7.43.0
    cpe:2.3:a:haxx:curl:7.43.0
  • Haxx Curl 7.44.0
    cpe:2.3:a:haxx:curl:7.44.0
  • Haxx Curl 7.45.0
    cpe:2.3:a:haxx:curl:7.45.0
  • Haxx Curl 7.46.0
    cpe:2.3:a:haxx:curl:7.46.0
  • Haxx Curl 7.47.0
    cpe:2.3:a:haxx:curl:7.47.0
  • Haxx Curl 7.47.1
    cpe:2.3:a:haxx:curl:7.47.1
  • Haxx Curl 7.48.0
    cpe:2.3:a:haxx:curl:7.48.0
  • Haxx Curl 7.49.0
    cpe:2.3:a:haxx:curl:7.49.0
  • Haxx Curl 7.49.1
    cpe:2.3:a:haxx:curl:7.49.1
  • Haxx Curl 7.50.0
    cpe:2.3:a:haxx:curl:7.50.0
  • Haxx Curl 7.50.1
    cpe:2.3:a:haxx:curl:7.50.1
  • Haxx Curl 7.50.2
    cpe:2.3:a:haxx:curl:7.50.2
  • Haxx Curl 7.50.3
    cpe:2.3:a:haxx:curl:7.50.3
  • Haxx Curl 7.51.0
    cpe:2.3:a:haxx:curl:7.51.0
  • Haxx Curl 7.52.0
    cpe:2.3:a:haxx:curl:7.52.0
  • Haxx Curl 7.52.1
    cpe:2.3:a:haxx:curl:7.52.1
  • Haxx Curl 7.53.0
    cpe:2.3:a:haxx:curl:7.53.0
  • Haxx Curl 7.53.1
    cpe:2.3:a:haxx:curl:7.53.1
  • Haxx Curl 7.54.0
    cpe:2.3:a:haxx:curl:7.54.0
  • Haxx Curl 7.54.1
    cpe:2.3:a:haxx:curl:7.54.1
  • Haxx Curl 7.55.0
    cpe:2.3:a:haxx:curl:7.55.0
  • Haxx Curl 7.55.1
    cpe:2.3:a:haxx:curl:7.55.1
  • Haxx Curl 7.56.0
    cpe:2.3:a:haxx:curl:7.56.0
  • Haxx Curl 7.56.1
    cpe:2.3:a:haxx:curl:7.56.1
  • Haxx Curl 7.57.0
    cpe:2.3:a:haxx:curl:7.57.0
  • Haxx Curl 7.58.0
    cpe:2.3:a:haxx:curl:7.58.0
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • Oracle Enterprise Manager Ops Center 12.2.2
    cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2
  • Oracle Enterprise Manager Ops Center 12.3.3
    cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3
  • Oracle PeopleSoft Enterprise PeopleTools 8.55
    cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55
  • Oracle PeopleSoft Enterprise PeopleTools 8.56
    cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56
  • Oracle PeopleSoft Enterprise PeopleTools 8.57
    cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57
CVSS
Base: 6.4
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
nessus via4
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1330.NASL
    description According to the versions of the curl package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586) - libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in (anonymous or not), it asks the server for the current directory with the `PWD` command. The server then responds with a 257 response containing the path, inside double quotes. The returned path name is then kept by libcurl for subsequent uses. Due to a flaw in the string parser for this directory name, a directory name passed like this but without a closing double quote would lead to libcurl not adding a trailing NUL byte to the buffer holding the name. When libcurl would then later access the string, it could read beyond the allocated heap buffer and crash or wrongly access data beyond the buffer, thinking it was part of the path. A malicious server could abuse this fact and effectively prevent libcurl-based clients to work with it - the PWD command is always issued on new FTP connections and the mistake has a high chance of causing a segfault. The simple fact that this has issue remained undiscovered for this long could suggest that malformed PWD responses are rare in benign servers. We are not aware of any exploit of this flaw. This bug was introduced in commit [415d2e7cb7](https://github.com/curl/curl/commit/415d2e 7cb7), March 2005. In libcurl version 7.56.0, the parser always zero terminates the string but also rejects it if not terminated properly with a final double quote.(CVE-2017-1000254) - The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) or possibly have unspecified other impact via a string that ends with an '[' character.(CVE-2017-8817) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 118418
    published 2018-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118418
    title EulerOS Virtualization 2.5.0 : curl (EulerOS-SA-2018-1330)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20181030_CURL_AND_NSS_PEM_ON_SL7_X.NASL
    description Security Fix(es) : - curl: HTTP authentication leak in redirects (CVE-2018-1000007) - curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) - curl: RTSP RTP buffer over-read (CVE-2018-1000122) - curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) - curl: LDAP NULL pointer dereference (CVE-2018-1000121)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 119180
    published 2018-11-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119180
    title Scientific Linux Security Update : curl and nss-pem on SL7.x x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2019-1139.NASL
    description The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. This update contains fixes related to CURL security updates, specifically updating an object ID when reusing a certificate
    last seen 2019-02-21
    modified 2019-01-10
    plugin id 121048
    published 2019-01-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121048
    title Amazon Linux 2 : nss-pem (ALAS-2019-1139)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201804-04.NASL
    description The remote host is affected by the vulnerability described in GLSA-201804-04 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : Remote attackers could cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-07
    plugin id 108925
    published 2018-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108925
    title GLSA-201804-04 : cURL: Multiple vulnerabilities
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1203.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2018-1000301) - curl version curl 7.20.0 to and including curl 7.59.0 contains a Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded rtsp content.(CVE-2016-9586) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110867
    published 2018-07-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110867
    title EulerOS 2.0 SP3 : curl (EulerOS-SA-2018-1203)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-3157.NASL
    description An update for curl and nss-pem is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es) : * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-16
    plugin id 118996
    published 2018-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118996
    title CentOS 7 : curl / nss-pem (CESA-2018:3157)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-3157.NASL
    description An update for curl and nss-pem is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es) : * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 118532
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118532
    title RHEL 7 : curl and nss-pem (RHSA-2018:3157)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-3157.NASL
    description From Red Hat Security Advisory 2018:3157 : An update for curl and nss-pem is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. The nss-pem package provides the PEM file reader for Network Security Services (NSS) implemented as a PKCS#11 module. Security Fix(es) : * curl: HTTP authentication leak in redirects (CVE-2018-1000007) * curl: FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) * curl: RTSP RTP buffer over-read (CVE-2018-1000122) * curl: Out-of-bounds heap read when missing RTSP headers allows information leak of denial of service (CVE-2018-1000301) * curl: LDAP NULL pointer dereference (CVE-2018-1000121) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the Curl project for reporting these issues. Upstream acknowledges Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Max Dymond as the original reporter of CVE-2018-1000122; the OSS-fuzz project as the original reporter of CVE-2018-1000301; and Dario Weisser as the original reporter of CVE-2018-1000121. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-07
    plugin id 118775
    published 2018-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118775
    title Oracle Linux 7 : curl / nss-pem (ELSA-2018-3157)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0769-1.NASL
    description This update for curl fixes the following issues: Following security issues were fixed : - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 108579
    published 2018-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108579
    title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2018:0769-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1110.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 109508
    published 2018-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109508
    title EulerOS 2.0 SP2 : curl (EulerOS-SA-2018-1110)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-995.NASL
    description FTP path trickery leads to NIL byte out of bounds write : It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior. (CVE-2018-1000120) LDAP NULL pointer dereference : A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply. (CVE-2018-1000121) RTSP RTP buffer over-read : A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage. (CVE-2018-1000122)
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 109178
    published 2018-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109178
    title Amazon Linux 2 : curl (ALAS-2018-995)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3598-1.NASL
    description Phan Thanh discovered that curl incorrectly handled certain FTP paths. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2018-1000120) Dario Weisser discovered that curl incorrectly handled certain LDAP URLs. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-1000121) Max Dymond discovered that curl incorrectly handled certain RTSP data. An attacker could possibly use this to cause a denial of service or even to get access to sensitive data. (CVE-2018-1000122). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 108403
    published 2018-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108403
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : curl vulnerabilities (USN-3598-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-995.NASL
    description FTP path trickery leads to NIL byte out of bounds write : It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior. (CVE-2018-1000120) LDAP NULL pointer dereference : A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply. (CVE-2018-1000121) RTSP RTP buffer over-read : A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage. (CVE-2018-1000122)
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 109184
    published 2018-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109184
    title Amazon Linux AMI : curl (ALAS-2018-995)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0124.NASL
    description An update of 'curl' packages of Photon OS has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 111928
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111928
    title Photon OS 1.0: Curl PHSA-2018-1.0-0124 (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-BC65AB5014.NASL
    description - http2: mark the connection for close on GOAWAY - new upstream release (7.59.0) - FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) - LDAP NULL pointer dereference (CVE-2018-1000121) - RTSP RTP buffer over-read (CVE-2018-1000122) - ftp: fix typo in recursive callback detection for seeking Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-03
    plugin id 120747
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120747
    title Fedora 28 : curl (2018-bc65ab5014)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0124_CURL.NASL
    description An update of the curl package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121819
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121819
    title Photon OS 1.0: Curl PHSA-2018-1.0-0124
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4136.NASL
    description Multiple vulnerabilities were discovered in cURL, an URL transfer library. - CVE-2018-1000120 Duy Phan Thanh discovered that curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of the URL contains a '%00' sequence. - CVE-2018-1000121 Dario Weisser discovered that curl might dereference a near-NULL address when getting an LDAP URL due to the ldap_get_attribute_ber() function returning LDAP_SUCCESS and a NULL pointer. A malicious server might cause libcurl-using applications that allow LDAP URLs, or that allow redirects to LDAP URLs to crash. - CVE-2018-1000122 OSS-fuzz, assisted by Max Dymond, discovered that curl could be tricked into copying data beyond the end of its heap based buffer when asked to transfer an RTSP URL.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 108345
    published 2018-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108345
    title Debian DSA-4136-1 : curl - security update
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1109.NASL
    description According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120) - A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121) - A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 109507
    published 2018-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109507
    title EulerOS 2.0 SP1 : curl (EulerOS-SA-2018-1109)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1309.NASL
    description Multiple vulnerabilities were found in cURL, an URL transfer library : CVE-2018-1000120 Duy Phan Thanh reported that curl could be fooled into writing a zero byte out of bounds when curl was told to work on an FTP URL, with the setting to only issue a single CWD command. The issue could be triggered if the directory part of the URL contained a '%00' sequence. CVE-2018-1000121 Dario Weisser reported that curl might dereference a near-NULL address when getting an LDAP URL. A malicious server that sends a particularly crafted response could made crash applications that allowed LDAP URL relying on libcurl. CVE-2018-1000122 OSS-fuzz and Max Dymond found that curl can be tricked into copying data beyond the end of its heap based buffer when asked to transfer an RTSP URL. curl could calculate a wrong data length to copy from the read buffer. This could lead to information leakage or a denial of service. For Debian 7 'Wheezy', these problems have been fixed in version 7.26.0-1+wheezy25. We recommend that you upgrade your curl packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-31
    plugin id 108416
    published 2018-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108416
    title Debian DLA-1309-1 : curl security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-66C96E0024.NASL
    description - fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) - fix LDAP NULL pointer dereference (CVE-2018-1000121) - fix RTSP RTP buffer over-read (CVE-2018-1000122) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 108500
    published 2018-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108500
    title Fedora 26 : curl (2018-66c96e0024)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-8877B4CCAC.NASL
    description - fix FTP path trickery leads to NIL byte out of bounds write (CVE-2018-1000120) - fix LDAP NULL pointer dereference (CVE-2018-1000121) - fix RTSP RTP buffer over-read (CVE-2018-1000122) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 108502
    published 2018-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108502
    title Fedora 27 : curl (2018-8877b4ccac)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-1323-1.NASL
    description This update for curl fixes the following issues: curl was updated to version 7.37.0 (fate#325339 bsc#1084137) This update syncs the curl version to the one in SUSE Linux Enterprise 12 and is full binary compatible to the previous version. This update is done to allow other third-party software like 'R' to be able to be used on the SUSE Linux Enterprise 11 codebase. Following security issues were fixed : - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). The package also requires a libopenssl that implements the DEFAULT_SUSE cipher list (bsc#1081056, bsc#1083463,bsc#1086825) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 109890
    published 2018-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109890
    title SUSE SLES11 Security Update : curl (SUSE-SU-2018:1323-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2018-074-01.NASL
    description New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 108382
    published 2018-03-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108382
    title Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2018-074-01)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-299.NASL
    description This update for curl fixes the following issues : Following security issues were fixed : - CVE-2018-1000120: A buffer overflow exists in the FTP URL handling that allowed an attacker to cause a denial of service or possible code execution (bsc#1084521). - CVE-2018-1000121: A NULL pointer dereference exists in the LDAP code that allowed an attacker to cause a denial of service (bsc#1084524). - CVE-2018-1000122: A buffer over-read exists in the RTSP+RTP handling code that allowed an attacker to cause a denial of service or information leakage (bsc#1084532). This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-09-04
    plugin id 108629
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108629
    title openSUSE Security Update : curl (openSUSE-2018-299)
redhat via4
advisories
  • rhsa
    id RHBA-2019:0327
  • rhsa
    id RHSA-2018:3157
  • rhsa
    id RHSA-2018:3558
rpms
  • curl-0:7.29.0-51.el7
  • libcurl-0:7.29.0-51.el7
  • libcurl-devel-0:7.29.0-51.el7
  • nss-pem-0:1.0.3-5.el7
refmap via4
bid 103436
confirm
debian DSA-4136
mlist [debian-lts-announce] 20180318 [SECURITY] [DLA 1309-1] curl security update
sectrack 1040530
ubuntu
  • USN-3598-1
  • USN-3598-2
Last major update 14-03-2018 - 14:29
Published 14-03-2018 - 14:29
Last modified 02-10-2019 - 20:03
Back to Top