CVE-2017-1000101

Опубликовано: 05 окт. 2017

Источник: nvd

CVSS3: 6.5

CVSS2: 4.3

EPSS Низкий

Описание

curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be http://ur%20[0-60000000000000000000.

Ссылки

http://www.debian.org/security/2017/dsa-3992
http://www.securityfocus.com/bid/100249
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039117
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2018:3558
https://curl.haxx.se/docs/adv_20170809A.html
Issue Tracking
Vendor Advisory
https://security.gentoo.org/glsa/201709-14
Issue Tracking
Third Party Advisory
https://support.apple.com/HT208221
http://www.debian.org/security/2017/dsa-3992
http://www.securityfocus.com/bid/100249
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039117
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2018:3558
https://curl.haxx.se/docs/adv_20170809A.html
Issue Tracking
Vendor Advisory
https://security.gentoo.org/glsa/201709-14
Issue Tracking
Third Party Advisory
https://support.apple.com/HT208221

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:haxx:curl:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.37.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.38.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.39.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.42.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.43.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.44.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.45.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.46.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.47.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.47.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.48.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.49.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.49.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.50.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.50.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.50.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.50.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.51.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.52.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.52.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.53.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.53.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.54.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.54.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.55.0:*:*:*:*:*:*:*

EPSS

Процентиль: 70%

0.00624

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-119

Связанные уязвимости

CVE-2017-1000101

CVSS3: 6.5

ubuntu

больше 8 лет назад

CVE-2017-1000101

CVSS3: 4.2

redhat

больше 8 лет назад

CVE-2017-1000101

CVSS3: 6.5

debian

больше 8 лет назад

curl supports "globbing" of URLs, in which a user can pass a numerical ...

GHSA-qxxx-25g2-qj92

CVSS3: 6.5

github

больше 3 лет назад

openSUSE-SU-2017:2205-1

suse-cvrf

больше 8 лет назад

Security update for curl

EPSS

Процентиль: 70%

0.00624

Низкий

6.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-119