curl / Docs / Vulnerability table / 7.4.1 vulnerabilities

Vulnerabilities in curl 7.4.1

curl version 7.4.1 was released on October 16 2000. The following 19 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
HTTP authentication leak in redirects6.07.57.0CVE-2018-1000007CWE-522: Insufficiently Protected Credentials
--write-out out of buffer read6.57.53.1CVE-2017-7407CWE-126: Buffer Over-read
printf floating point buffer overflow7.17.51.0CVE-2016-9586CWE-121: Stack-based Buffer Overflow
cookie injection for other servers7.17.50.3CVE-2016-8615CWE-187: Partial Comparison
OOB write via unchecked multiplication7.17.50.3CVE-2016-8617CWE-131: Incorrect Calculation of Buffer Size
double-free in curl_maprintf7.17.50.3CVE-2016-8618CWE-415: Double Free
double-free in krb5 code7.37.50.3CVE-2016-8619CWE-415: Double Free
invalid URL parsing with '#'7.17.50.3CVE-2016-8624CWE-172: Encoding Error
TLS session resumption client cert bypass7.17.50.0CVE-2016-5419CWE-305: Authentication Bypass by Primary Weakness
Re-using connections with wrong client cert7.17.50.0CVE-2016-5420CWE-305: Authentication Bypass by Primary Weakness
sensitive HTTP server headers also sent to proxies7.17.42.0CVE-2015-3153CWE-201: Information Exposure Through Sent Data
URL request injection6.07.39.0CVE-2014-8150CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
cookie leak with IP address as domain7.17.37.1CVE-2014-3613CWE-201: Information Exposure Through Sent Data
IP address wildcard certificate validation7.17.35.0CVE-2014-0139CWE-297: Improper Validation of Certificate with Host Mismatch
cookie domain tailmatch6.07.29.0CVE-2013-1944CWE-201: Information Exposure Through Sent Data
embedded zero in cert name7.47.19.5CVE-2009-2417CWE-170: Improper Null Termination
Arbitrary File Access6.07.19.3CVE-2009-0037CWE-142: Improper Neutralization of Value Delimiters
Authentication Buffer Overflows7.37.13.0CVE-2005-0490CWE-121: Stack-based Buffer Overflow
Proxy Authentication Header Information Leakage7.17.10.6CVE-2003-1605CWE-201: Information Exposure Through Sent Data

Changelog for curl 7.4.1

See vulnerability summary for the previous release: 7.4 or the subsequent release: 7.4.2