Filtered by vendor Splunk
Subscriptions
Filtered by product Universal Forwarder
Subscriptions
Total
61 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-22924 | 8 Debian, Fedoraproject, Haxx and 5 more | 55 Debian Linux, Fedora, Libcurl and 52 more | 2024-08-03 | 3.7 Low |
| libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. | ||||
| CVE-2021-22926 | 5 Haxx, Netapp, Oracle and 2 more | 26 Curl, Active Iq Unified Manager, Clustered Data Ontap and 23 more | 2024-08-03 | 7.5 High |
| libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake. | ||||
| CVE-2021-22890 | 9 Broadcom, Debian, Fedoraproject and 6 more | 12 Fabric Operating System, Debian Linux, Fedora and 9 more | 2024-08-03 | 3.7 Low |
| curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. | ||||
| CVE-2021-22901 | 6 Haxx, Netapp, Oracle and 3 more | 35 Curl, Active Iq Unified Manager, Cloud Backup and 32 more | 2024-08-03 | 8.1 High |
| curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL, it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory, libcurl might even call a function pointer in the object, making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct place in memory. | ||||
| CVE-2021-22898 | 7 Debian, Fedoraproject, Haxx and 4 more | 13 Debian Linux, Fedora, Curl and 10 more | 2024-08-03 | 3.1 Low |
| curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. | ||||
| CVE-2021-22897 | 5 Haxx, Netapp, Oracle and 2 more | 30 Curl, Cloud Backup, H300e and 27 more | 2024-08-03 | 5.3 Medium |
| curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. | ||||
| CVE-2021-22876 | 9 Broadcom, Debian, Fedoraproject and 6 more | 15 Fabric Operating System, Debian Linux, Fedora and 12 more | 2024-08-03 | 5.3 Medium |
| curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. | ||||
| CVE-2021-3520 | 5 Lz4 Project, Netapp, Oracle and 2 more | 12 Lz4, Active Iq Unified Manager, Cloud Backup and 9 more | 2024-08-03 | 9.8 Critical |
| There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. | ||||
| CVE-2022-43551 | 5 Fedoraproject, Haxx, Netapp and 2 more | 8 Fedora, Curl, Active Iq Unified Manager and 5 more | 2024-08-03 | 7.5 High |
| A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded. | ||||
| CVE-2022-43552 | 4 Apple, Haxx, Redhat and 1 more | 6 Macos, Curl, Enterprise Linux and 3 more | 2024-08-03 | 5.9 Medium |
| A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. | ||||
| CVE-2022-42916 | 5 Apple, Fedoraproject, Haxx and 2 more | 5 Macos, Fedora, Curl and 2 more | 2024-08-03 | 7.5 High |
| In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26. | ||||
| CVE-2022-42915 | 6 Apple, Fedoraproject, Haxx and 3 more | 14 Macos, Fedora, Curl and 11 more | 2024-08-03 | 8.1 High |
| curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. | ||||
| CVE-2022-36227 | 5 Debian, Fedoraproject, Libarchive and 2 more | 6 Debian Linux, Fedora, Libarchive and 3 more | 2024-08-03 | 9.8 Critical |
| In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution." | ||||
| CVE-2022-35737 | 4 Netapp, Redhat, Splunk and 1 more | 5 Ontap Select Deploy Administration Utility, Enterprise Linux, Rhel Eus and 2 more | 2024-08-03 | 7.5 High |
| SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API. | ||||
| CVE-2022-35260 | 4 Apple, Haxx, Netapp and 1 more | 12 Macos, Curl, Clustered Data Ontap and 9 more | 2024-08-03 | 6.5 Medium |
| curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service. | ||||
| CVE-2022-35252 | 6 Apple, Debian, Haxx and 3 more | 21 Macos, Debian Linux, Curl and 18 more | 2024-08-03 | 3.7 Low |
| When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. | ||||
| CVE-2022-32205 | 7 Apple, Debian, Fedoraproject and 4 more | 29 Macos, Debian Linux, Fedora and 26 more | 2024-08-03 | 4.3 Medium |
| A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. | ||||
| CVE-2022-32206 | 7 Debian, Fedoraproject, Haxx and 4 more | 35 Debian Linux, Fedora, Curl and 32 more | 2024-08-03 | 6.5 Medium |
| curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. | ||||
| CVE-2022-32207 | 7 Apple, Debian, Fedoraproject and 4 more | 21 Macos, Debian Linux, Fedora and 18 more | 2024-08-03 | 9.8 Critical |
| When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. | ||||
| CVE-2022-32221 | 6 Apple, Debian, Haxx and 3 more | 16 Macos, Debian Linux, Curl and 13 more | 2024-08-03 | 9.8 Critical |
| When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST. | ||||