curl-openssl1 (SUSE:Linux Enterprise Server 11-SECURITY) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Server 11-SECURITY package curl-openssl1, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2018-1000120 — CVSS 9.8 (critical): A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of…
CVE-2018-1000007 — CVSS 9.8 (critical): libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. When asked to send custom headers in its HTTP…
CVE-2016-7167 — CVSS 9.8 (critical): Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl…
CVE-2018-16840 — CVSS 9.8 (critical): A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When…
CVE-2018-1000122 — CVSS 9.1 (critical): A buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a…
CVE-2018-1000301 — CVSS 9.1 (critical): curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can…
CVE-2020-8177 — CVSS 7.8 (high): curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a…
CVE-2019-5436 — CVSS 7.8 (high): A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVE-2016-5419 — CVSS 7.5 (high): curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers…
CVE-2016-5420 — CVSS 7.5 (high): curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote…
CVE-2016-7141 — CVSS 7.5 (high): curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack…
CVE-2017-1000254 — CVSS 7.5 (high): libcurl may read outside of a heap allocated buffer when doing FTP. When libcurl connects to an FTP server and successfully logs in…
CVE-2018-1000121 — CVSS 7.5 (high): A NULL pointer dereference exists in curl 7.21.0 to and including curl 7.58.0 in the LDAP code that allows an attacker to cause a denial of…
CVE-2018-14618 — CVSS 7.5 (high): curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_has…
CVE-2020-8231 — CVSS 7.5 (high): Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2020-8285 — CVSS 7.5 (high): curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVE-2021-22946 — CVSS 7.5 (high): A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server…
CVE-2021-22922 — CVSS 6.5 (medium): When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML…
CVE-2017-1000100 — CVSS 6.5 (medium): When doing a TFTP transfer and curl/libcurl is given a URL that contains a very long file name (longer than about 515 bytes), the file name…
CVE-2016-8620 — CVSS 6.5 (medium): The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled…
CVE-2016-9586 — CVSS 5.9 (medium): curl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the…
CVE-2021-22947 — CVSS 5.9 (medium): When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server…
CVE-2021-22923 — CVSS 5.3 (medium): When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file…
CVE-2016-8615 — CVSS 5.3 (medium): A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for…
CVE-2021-22925 — CVSS 5.3 (medium): curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send…
CVE-2021-22876 — CVSS 5.3 (medium): curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking…
CVE-2016-8624 — CVSS 5.3 (medium): curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character…
CVE-2016-8619 — CVSS 5.3 (medium): The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.
CVE-2016-8621 — CVSS 5.3 (medium): The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit…
CVE-2016-8618 — CVSS 5.3 (medium): The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t`…
CVE-2018-16842 — CVSS 4.4 (medium): Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in…
CVE-2016-8622 — CVSS 3.7 (low): The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would…
CVE-2021-22924 — CVSS 3.7 (low): libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to…
CVE-2016-8616 — CVSS 3.7 (low): A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and…
CVE-2020-8284 — CVSS 3.7 (low): A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and…
CVE-2016-8623 — CVSS 3.3 (low): A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to…
CVE-2016-8617 — CVSS 3.3 (low): The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at…
CVE-2021-22898 — CVSS 3.1 (low): curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in…
CVE-2017-7407 — CVSS 2.4 (low): The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from…