curl / Docs / Vulnerability table / 7.49.1 vulnerabilities

Vulnerabilities in curl 7.49.1

curl version 7.49.1 was released on May 30 2016. The following 32 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
RTSP bad headers buffer over-read7.20.07.59.0CVE-2018-1000301CWE-126: Buffer Over-read
RTSP RTP buffer over-read7.20.07.58.0CVE-2018-1000122CWE-126: Buffer Over-read
LDAP NULL pointer dereference7.21.07.58.0CVE-2018-1000121CWE-476: NULL Pointer Dereference
FTP path trickery leads to NIL byte out of bounds write7.12.37.58.0CVE-2018-1000120CWE-122: Heap-based Buffer Overflow
HTTP authentication leak in redirects6.07.57.0CVE-2018-1000007CWE-522: Insufficiently Protected Credentials
HTTP/2 trailer out-of-bounds read7.49.07.57.0CVE-2018-1000005CWE-126: Buffer Over-read
FTP wildcard out of bounds read7.21.07.56.1CVE-2017-8817CWE-126: Buffer Over-read
NTLM buffer overflow via integer overflow7.36.07.56.1CVE-2017-8816CWE-131: Incorrect Calculation of Buffer Size
IMAP FETCH response out of bounds read7.20.07.56.0CVE-2017-1000257CWE-126: Buffer Over-read
FTP PWD response parser out of bounds read7.77.55.1CVE-2017-1000254CWE-126: Buffer Over-read
URL globbing out of bounds read7.34.07.54.1CVE-2017-1000101CWE-126: Buffer Over-read
TFTP sends more than buffer size7.15.07.54.1CVE-2017-1000100CWE-126: Buffer Over-read
--write-out out of buffer read6.57.53.1CVE-2017-7407CWE-126: Buffer Over-read
printf floating point buffer overflow7.17.51.0CVE-2016-9586CWE-121: Stack-based Buffer Overflow
Win CE schannel cert wildcard matches too much7.30.07.51.0CVE-2016-9952CWE-295: Improper Certificate Validation
Win CE schannel cert name out of buffer read7.30.07.51.0CVE-2016-9953CWE-126: Buffer Over-read
cookie injection for other servers7.17.50.3CVE-2016-8615CWE-187: Partial Comparison
case insensitive password comparison7.77.50.3CVE-2016-8616CWE-178: Improper Handling of Case Sensitivity
OOB write via unchecked multiplication7.17.50.3CVE-2016-8617CWE-131: Incorrect Calculation of Buffer Size
double-free in curl_maprintf7.17.50.3CVE-2016-8618CWE-415: Double Free
double-free in krb5 code7.37.50.3CVE-2016-8619CWE-415: Double Free
glob parser write/read out of bounds7.34.07.50.3CVE-2016-8620CWE-122: Heap-based Buffer Overflow
curl_getdate read out of bounds7.12.27.50.3CVE-2016-8621CWE-126: Buffer Over-read
URL unescape heap overflow via integer truncation7.24.07.50.3CVE-2016-8622CWE-122: Heap-based Buffer Overflow
Use-after-free via shared cookies7.10.77.50.3CVE-2016-8623CWE-416: Use After Free
invalid URL parsing with '#'7.17.50.3CVE-2016-8624CWE-172: Encoding Error
IDNA 2003 makes curl use wrong host7.12.07.50.3CVE-2016-8625CWE-838: Inappropriate Encoding for Output Context
curl escape and unescape integer overflows7.11.17.50.2CVE-2016-7167CWE-131: Incorrect Calculation of Buffer Size
Incorrect reuse of client certificates7.19.67.50.1CVE-2016-7141CWE-305: Authentication Bypass by Primary Weakness
TLS session resumption client cert bypass7.17.50.0CVE-2016-5419CWE-305: Authentication Bypass by Primary Weakness
Re-using connections with wrong client cert7.17.50.0CVE-2016-5420CWE-305: Authentication Bypass by Primary Weakness
use of connection struct after free7.32.07.50.0CVE-2016-5421CWE-416: Use After Free

Changelog for curl 7.49.1

See vulnerability summary for the previous release: 7.49.0 or the subsequent release: 7.50.0