Medium severity6.5NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026
CVE-2017-1000101
CVE-2017-1000101
Description
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be http://ur%20[0-60000000000000000000.
Affected products
32cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*+ 31 more
- cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.42.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.43.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.44.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.45.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.46.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.47.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.47.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.48.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.49.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.49.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.50.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.50.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.50.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.50.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.51.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.52.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.52.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.53.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.37.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.38.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.39.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.53.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.54.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.54.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.55.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.securityfocus.com/bid/100249nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039117nvdThird Party AdvisoryVDB Entry
- curl.haxx.se/docs/adv_20170809A.htmlnvdIssue TrackingVendor Advisory
- security.gentoo.org/glsa/201709-14nvdIssue TrackingThird Party Advisory
- www.debian.org/security/2017/dsa-3992nvd
- access.redhat.com/errata/RHSA-2018:3558nvd
- support.apple.com/HT208221nvd
News mentions
0No linked articles in our index yet.