When curl is instructed to get content using the metalink feature and a user name and password are used to download the metalink XML file those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.

When curl is instructed to download content using the metalink feature thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client. When libcurl at run-time sets up support for TLS 1.3 session tickets on a connection using OpenSSL it stores pointers to the transfer in-memory object for later retrieval when a session ticket arrives. If the connection is used by multiple transfers (like with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection) that first transfer object might be freed before the new session is established on that connection and then the function will access a memory buffer that might be freed. When using that memory libcurl might even call a function pointer in the object making it possible for a remote code execution if the server could somehow manage to get crafted memory content into the correct

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option known as `CURLOPT_TELNETOPTIONS` in libcurl is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables libcurl could be made to pass on uninitialized data from a stack based buffer to the server resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library which has the surprising side-effect that if an application sets up multiple concurrent transfers the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario this weakens transport security significantly.

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.