CURL-CVE-2009-0037

Source
https://curl.se/docs/CVE-2009-0037.html
Import Source
https://curl.se/docs/CURL-CVE-2009-0037.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2009-0037
Aliases
Published
2009-03-03T08:00:00Z
Modified
2024-07-02T09:22:24Z
Summary
Arbitrary File Access
Details

When told to follow a "redirect" automatically, libcurl does not question the new target URL but follows it to any new URL that it understands. As libcurl supports FILE:// URLs, a rogue server can thus "trick" a libcurl-using application to read a local file instead of the remote one.

This is a problem, for example, when the application is running on a server and is written to upload or to otherwise provide the transferred data to a user, to another server or to another application etc, as it can be used to expose local files it was not meant to.

The problem can also be exploited for uploading, if the rogue server redirects the client to a local file and thus it would (over)write a local file instead of sending it to the server.

libcurl compiled to support SCP can get tricked to get a file using embedded semicolons, which can lead to execution of commands on the given server. Location: scp://name:passwd@host/a;date >/tmp/test;.

Files on servers other than the one running libcurl are also accessible when credentials for those servers are stored in the .netrc file of the user running libcurl. This is most common for FTP servers, but can occur with any protocol supported by libcurl. Files on remote SSH servers are also accessible when the user has an unencrypted SSH key.

Database specific
{
    "CWE": {
        "id": "CWE-142",
        "desc": "Improper Neutralization of Value Delimiters"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2009-0037.json",
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2009-0037.html",
    "last_affected": "7.19.3"
}
References
Credits
    • David Kierznowski - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
5.11
Fixed
7.19.4
Type
GIT
Repo
https://github.com/curl/curl.git
Events

Affected versions

5.*

5.11

6.*

6.0
6.1
6.2
6.3
6.3.1
6.4
6.5
6.5.1
6.5.2

7.*

7.1
7.1.1
7.10
7.10.1
7.10.2
7.10.3
7.10.4
7.10.5
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.2
7.2.1
7.3
7.4
7.4.1
7.4.2
7.5
7.5.1
7.5.2
7.6
7.6.1
7.7
7.7.1
7.7.2
7.7.3
7.8
7.8.1
7.9
7.9.1
7.9.2
7.9.3
7.9.4
7.9.5
7.9.6
7.9.7
7.9.8