CURL-CVE-2005-4077
- Source
- https://curl.se/docs/CVE-2005-4077.html
- Import Source
- https://curl.se/docs/CURL-CVE-2005-4077.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2005-4077
- Aliases
- Published
- 2005-12-07T08:00:00Z
- Modified
- 2024-01-25T02:42:43.696392Z
- Summary
- URL Buffer Overflow
- Details
-
libcurl's URL parser function can overflow a heap based buffer in two ways, if given a too long URL.
These overflows happen if you
1 - pass in a URL with no protocol (like "http://") prefix, using no slash and the string is 256 bytes or longer. This leads to a single zero byte overflow of the heap buffer.
2 - pass in a URL with only a question mark as separator (no slash) between the host and the query part of the URL. This leads to a single zero byte overflow of the heap buffer.
Both overflows can be made with the same input string, leading to two single zero byte overwrites.
The affected flaw cannot be triggered by a redirect, but the long URL must be passed in "directly" to libcurl. It makes this a "local" problem. Of course, lots of programs may still pass in user-provided URLs to libcurl without doing much syntax checking of their own, allowing a user to exploit this vulnerability.
- Database specific
{ "package": "curl", "severity": "High", "www": "https://curl.se/docs/CVE-2005-4077.html", "last_affected": "7.15.0", "affects": "both", "CWE": { "id": "CWE-122", "desc": "Heap-based Buffer Overflow" }, "URL": "https://curl.se/docs/CVE-2005-4077.json" }- References
-
- Credits
-
-
- Stefan Esser - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
- Wilfried Weissmann - OTHER
-