CVE-2017-8817

Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.57.0 curl versions prior to 7.57.0

Description The issue is related to the FTP wildcard function in libcurl and curl, which can cause a denial of service (out-of-bounds read and application crash) or possibly have other unspecified impacts. This occurs when a string that ends with an [ character is used. The built-in wildcard function in libcurl does not detect the end of the pattern string if it ends with an open bracket, causing it to continue reading beyond the end of the URL buffer. This flaw can be triggered by malicious servers that redirect clients to a URL using such a wildcard pattern, especially in applications that use HTTP(S) URLs and have FTP wildcards enabled.

Recommendations For libcurl versions prior to 7.57.0, update to version 7.57.0 or later to resolve the issue. For curl versions prior to 7.57.0, update to version 7.57.0 or later to resolve the issue. As a temporary workaround, consider disabling the CURLOPT WILDCARDMATCH option until a patch is available.