rpm package
suse/curl&distro=SUSE Linux Enterprise Micro 5.1
pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Micro%205.1
Vulnerabilities (32)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-43552 | — | < 7.66.0-150200.4.45.1 | 7.66.0-150200.4.45.1 | Feb 9, 2023 | A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl wo | ||
| CVE-2022-32221 | — | < 7.66.0-150200.4.42.1 | 7.66.0-150200.4.42.1 | Dec 5, 2022 | When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This f | ||
| CVE-2022-35252 | — | < 7.66.0-150200.4.39.1 | 7.66.0-150200.4.39.1 | Sep 23, 2022 | When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings. | ||
| CVE-2022-32208 | — | < 7.66.0-150200.4.36.1 | 7.66.0-150200.4.36.1 | Jul 7, 2022 | When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. | ||
| CVE-2022-32206 | — | < 7.66.0-150200.4.36.1 | 7.66.0-150200.4.36.1 | Jul 7, 2022 | curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to ins | ||
| CVE-2022-27782 | Hig | 7.5 | < 7.66.0-150200.4.33.1 | 7.66.0-150200.4.33.1 | Jun 2, 2022 | libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, s | |
| CVE-2022-27781 | Hig | 7.5 | < 7.66.0-150200.4.33.1 | 7.66.0-150200.4.33.1 | Jun 2, 2022 | libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve | |
| CVE-2022-27775 | Hig | 7.5 | < 7.66.0-150200.4.30.1 | 7.66.0-150200.4.30.1 | Jun 2, 2022 | An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead. | |
| CVE-2022-27776 | — | < 7.66.0-150200.4.30.1 | 7.66.0-150200.4.30.1 | Jun 1, 2022 | A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number. | ||
| CVE-2022-22576 | Hig | 8.1 | < 7.66.0-150200.4.30.1 | 7.66.0-150200.4.30.1 | May 26, 2022 | An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL | |
| CVE-2021-22947 | Med | 5.9 | < 7.66.0-4.27.1 | 7.66.0-4.27.1 | Sep 29, 2021 | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached r | |
| CVE-2021-22946 | Hig | 7.5 | < 7.66.0-4.27.1 | 7.66.0-4.27.1 | Sep 29, 2021 | A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed |
- CVE-2022-43552Feb 9, 2023affected < 7.66.0-150200.4.45.1fixed 7.66.0-150200.4.45.1
A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl wo
- CVE-2022-32221Dec 5, 2022affected < 7.66.0-150200.4.42.1fixed 7.66.0-150200.4.42.1
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This f
- CVE-2022-35252Sep 23, 2022affected < 7.66.0-150200.4.39.1fixed 7.66.0-150200.4.39.1
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
- CVE-2022-32208Jul 7, 2022affected < 7.66.0-150200.4.36.1fixed 7.66.0-150200.4.36.1
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
- CVE-2022-32206Jul 7, 2022affected < 7.66.0-150200.4.36.1fixed 7.66.0-150200.4.36.1
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to ins
- affected < 7.66.0-150200.4.33.1fixed 7.66.0-150200.4.33.1
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, s
- affected < 7.66.0-150200.4.33.1fixed 7.66.0-150200.4.33.1
libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve
- affected < 7.66.0-150200.4.30.1fixed 7.66.0-150200.4.30.1
An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.
- CVE-2022-27776Jun 1, 2022affected < 7.66.0-150200.4.30.1fixed 7.66.0-150200.4.30.1
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
- affected < 7.66.0-150200.4.30.1fixed 7.66.0-150200.4.30.1
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL
- affected < 7.66.0-4.27.1fixed 7.66.0-4.27.1
When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached r
- affected < 7.66.0-4.27.1fixed 7.66.0-4.27.1
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed
Page 2 of 2