rpm package
suse/curl&distro=SUSE OpenStack Cloud Crowbar 9
pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-22924 | — | < 7.60.0-4.25.1 | 7.60.0-4.25.1 | Aug 5, 2021 | libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively | ||
| CVE-2021-22923 | — | < 7.60.0-4.25.1 | 7.60.0-4.25.1 | Aug 5, 2021 | When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents | ||
| CVE-2021-22898 | Low | 3.1 | < 7.60.0-4.20.1 | 7.60.0-4.20.1 | Jun 11, 2021 | curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could | |
| CVE-2021-22876 | — | < 7.60.0-4.20.1 | 7.60.0-4.20.1 | Apr 1, 2021 | curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP | ||
| CVE-2020-8285 | Hig | 7.5 | < 7.60.0-4.20.1 | 7.60.0-4.20.1 | Dec 14, 2020 | curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. | |
| CVE-2020-8284 | Low | 3.7 | < 7.60.0-4.20.1 | 7.60.0-4.20.1 | Dec 14, 2020 | A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanni | |
| CVE-2020-8286 | — | < 7.60.0-4.20.1 | 7.60.0-4.20.1 | Dec 14, 2020 | curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. | ||
| CVE-2020-8231 | — | < 7.60.0-4.20.1 | 7.60.0-4.20.1 | Dec 14, 2020 | Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. |
- CVE-2021-22924Aug 5, 2021affected < 7.60.0-4.25.1fixed 7.60.0-4.25.1
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively
- CVE-2021-22923Aug 5, 2021affected < 7.60.0-4.25.1fixed 7.60.0-4.25.1
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents
- affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could
- CVE-2021-22876Apr 1, 2021affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP
- affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
- affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanni
- CVE-2020-8286Dec 14, 2020affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
- CVE-2020-8231Dec 14, 2020affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
Page 2 of 2