rpm package
opensuse/curl&distro=openSUSE Leap 15.2
pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.2
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-22947 | Med | 5.9 | < 7.66.0-lp152.3.24.1 | 7.66.0-lp152.3.24.1 | Sep 29, 2021 | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached r | |
| CVE-2021-22946 | Hig | 7.5 | < 7.66.0-lp152.3.24.1 | 7.66.0-lp152.3.24.1 | Sep 29, 2021 | A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed | |
| CVE-2021-22925 | Med | 5.3 | < 7.66.0-lp152.3.21.1 | 7.66.0-lp152.3.21.1 | Aug 5, 2021 | curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized | |
| CVE-2021-22922 | Med | 6.5 | < 7.66.0-lp152.3.21.1 | 7.66.0-lp152.3.21.1 | Aug 5, 2021 | When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different | |
| CVE-2021-22924 | — | < 7.66.0-lp152.3.21.1 | 7.66.0-lp152.3.21.1 | Aug 5, 2021 | libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively | ||
| CVE-2021-22923 | — | < 7.66.0-lp152.3.21.1 | 7.66.0-lp152.3.21.1 | Aug 5, 2021 | When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents | ||
| CVE-2021-22898 | Low | 3.1 | < 7.66.0-lp152.3.18.1 | 7.66.0-lp152.3.18.1 | Jun 11, 2021 | curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could | |
| CVE-2021-22890 | — | < 7.66.0-lp152.3.15.1 | 7.66.0-lp152.3.15.1 | Apr 1, 2021 | curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as | ||
| CVE-2021-22876 | — | < 7.66.0-lp152.3.15.1 | 7.66.0-lp152.3.15.1 | Apr 1, 2021 | curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP | ||
| CVE-2020-8285 | Hig | 7.5 | < 7.66.0-lp152.3.12.1 | 7.66.0-lp152.3.12.1 | Dec 14, 2020 | curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. | |
| CVE-2020-8284 | Low | 3.7 | < 7.66.0-lp152.3.12.1 | 7.66.0-lp152.3.12.1 | Dec 14, 2020 | A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanni | |
| CVE-2020-8177 | Hig | 7.8 | < 7.66.0-lp152.3.3.1 | 7.66.0-lp152.3.3.1 | Dec 14, 2020 | curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. | |
| CVE-2020-8169 | — | < 7.66.0-lp152.3.3.1 | 7.66.0-lp152.3.3.1 | Dec 14, 2020 | curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). | ||
| CVE-2020-8286 | — | < 7.66.0-lp152.3.12.1 | 7.66.0-lp152.3.12.1 | Dec 14, 2020 | curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. | ||
| CVE-2020-8231 | — | < 7.66.0-lp152.3.6.1 | 7.66.0-lp152.3.6.1 | Dec 14, 2020 | Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. |
- affected < 7.66.0-lp152.3.24.1fixed 7.66.0-lp152.3.24.1
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached r
- affected < 7.66.0-lp152.3.24.1fixed 7.66.0-lp152.3.24.1
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed
- affected < 7.66.0-lp152.3.21.1fixed 7.66.0-lp152.3.21.1
curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized
- affected < 7.66.0-lp152.3.21.1fixed 7.66.0-lp152.3.21.1
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different
- CVE-2021-22924Aug 5, 2021affected < 7.66.0-lp152.3.21.1fixed 7.66.0-lp152.3.21.1
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively
- CVE-2021-22923Aug 5, 2021affected < 7.66.0-lp152.3.21.1fixed 7.66.0-lp152.3.21.1
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents
- affected < 7.66.0-lp152.3.18.1fixed 7.66.0-lp152.3.18.1
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could
- CVE-2021-22890Apr 1, 2021affected < 7.66.0-lp152.3.15.1fixed 7.66.0-lp152.3.15.1
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as
- CVE-2021-22876Apr 1, 2021affected < 7.66.0-lp152.3.15.1fixed 7.66.0-lp152.3.15.1
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP
- affected < 7.66.0-lp152.3.12.1fixed 7.66.0-lp152.3.12.1
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
- affected < 7.66.0-lp152.3.12.1fixed 7.66.0-lp152.3.12.1
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanni
- affected < 7.66.0-lp152.3.3.1fixed 7.66.0-lp152.3.3.1
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
- CVE-2020-8169Dec 14, 2020affected < 7.66.0-lp152.3.3.1fixed 7.66.0-lp152.3.3.1
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
- CVE-2020-8286Dec 14, 2020affected < 7.66.0-lp152.3.12.1fixed 7.66.0-lp152.3.12.1
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
- CVE-2020-8231Dec 14, 2020affected < 7.66.0-lp152.3.6.1fixed 7.66.0-lp152.3.6.1
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.