Volema

**Name of the Vulnerable Software and Affected Versions** curl versions 7.26.0 through 7.28.1 curl versions prior to 7.34.0 **Description** The issue is related to a stack-based buffer overflow in the `Curl sasl create digest md5 message` function when negotiating SASL DIGEST-MD5 authentication. This can be exploited by remote attackers via a long string in the `realm` parameter in POP3, SMTP, or IMAP messages, potentially leading to a denial of service or execution of arbitrary code. The vulnerability can be exploited by someone in control of a server that a libcurl-based program is accessing, or by a malicious user feeding an application with a URL to a server hosting code targeting this flaw. This vulnerability can be used for remote code execution on vulnerable systems. **Recommendations** For curl versions 7.26.0 through 7.28.1, update to a version later than 7.28.1. For curl versions prior to 7.34.0, update to version 7.34.0 or later. As a temporary workaround, consider restricting access to the `Curl sasl create digest md5 message` function until a patch is available. Avoid using the `realm` parameter in affected API endpoints until the issue is resolved.