CVE Tools

the curl project

OSS Librariesoss-project

17

Cumulative CVEs

4

Monthly snapshots

#58

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting the curl project.

CVE-2019-3823libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL ter...4.3Feb 6, 2019
CVE-2019-3822libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_me...9.8Feb 6, 2019
CVE-2018-16890libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) do...7.5Feb 6, 2019
CVE-2018-16842Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.4.4Oct 31, 2018
CVE-2018-16840A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` f...9.8Oct 31, 2018
CVE-2018-16839Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.4.3Oct 31, 2018
CVE-2016-8625curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong ...5.3Aug 1, 2018
CVE-2016-8623A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.3.3Aug 1, 2018
CVE-2016-8620The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.6.5Aug 1, 2018
CVE-2016-8619The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.5.3Aug 1, 2018
CVE-2016-8616A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an...3.7Aug 1, 2018
CVE-2016-8615A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cook...5.3Aug 1, 2018
CVE-2016-8621The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.5.3Jul 31, 2018
CVE-2016-8617The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.3.3Jul 31, 2018
CVE-2016-8624curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different ...5.3Jul 31, 2018