Nyymi

**Name of the Vulnerable Software and Affected Versions** cURL (affected versions not specified) **Description** This flaw allows a malicious HTTP server to set "super cookies" in cURL that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in cURL's function that verifies a given cookie domain against the Public Suffix List (PSL). For example, a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 8.1.0 **Description** A denial of service issue exists in the way libcurl provides several different backends for resolving host names. If libcurl is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. This can cause a multi-threaded application to crash or misbehave due to a global buffer that is not mutex protected. The issue can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 8.1.0, update to version 8.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the synchronous resolver backend in multi-threaded applications until a patch is available. Restrict access to the vulnerable `alarm()` and `siglongjmp()` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** libcurl versions prior to 8.0.0 **Description** An authentication bypass issue exists in the FTP connection reuse feature of libcurl. This issue can result in wrong credentials being used during subsequent transfers, potentially allowing unauthorized access to sensitive information. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as `CURLOPT FTP ACCOUNT`, `CURLOPT FTP ALTERNATIVE TO USER`, `CURLOPT FTP SSL CCC`, and `CURLOPT USE SSL` were not included in the configuration match checks, causing them to match too easily. **Recommendations** For libcurl versions prior to 8.0.0, consider disabling the FTP connection reuse feature as a temporary workaround until a patch is available. Restrict access to sensitive information by minimizing the use of FTP connections. Avoid using the `CURLOPT FTP ACCOUNT`, `CURLOPT FTP ALTERNATIVE TO USER`, `CURLOPT FTP SSL CCC`, and `CURLOPT USE SSL` settings in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl versions prior to 8.0.0 **Description** An authentication bypass issue exists where libcurl reuses a previously established SSH connection despite the fact that an SSH option was modified. This occurs because libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily and potentially leading to the reuse of an inappropriate connection. **Recommendations** For libcurl versions prior to 8.0.0, update to version 8.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the reuse of previously established SSH connections until a patch is available. Restrict access to SSH settings to minimize the risk of exploitation. Avoid using modified SSH options in the affected libcurl versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.88.0 **Description** A cleartext transmission of sensitive information issue exists in curl that could cause HSTS functionality to fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, this HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried on. The issue can be reproduced by requesting multiple URLs serially, such as `https://curl.se` followed by `http://curl.se`, where the second URL fails to take advantage of the HSTS information returned by the first URL. **Recommendations** For versions prior to 7.88.0, update to version 7.88.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of multiple URLs in the same command line to minimize the risk of exploitation. Restrict access to sensitive information and use HTTPS instead of HTTP to reduce the risk of cleartext transmission of sensitive information.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.84.0 **Description** The issue is related to how curl saves cookies, alt-svc, and hsts data to local files. When curl performs this operation, it uses a temporary file that is later renamed to the final target filename. However, during this rename operation, the permissions for the target file might be accidentally widened, making the updated file accessible to more users than intended. This could potentially allow a remote attacker to disclose protected information or cause a denial of service. **Recommendations** For versions prior to 7.84.0, update to curl version 7.84.0 to resolve the issue. As a temporary workaround, consider restricting access to the files where cookies, alt-svc, and hsts data are saved to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.84.0 **Description** A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl. This can cause subsequent HTTP requests to become larger than the internal threshold of 1048576 bytes, resulting in an error. The denial state might remain for as long as the same cookies are kept and haven't expired. Due to cookie matching rules, a server can set cookies that also match for other servers on the same second level domain, making it possible for a "sister server" to effectively cause a denial of service for a sibling site. **Recommendations** For versions prior to 7.84.0, update to curl version 7.84.0 to resolve the issue. As a temporary workaround, consider restricting the use of the `Set-Cookie:` header or clearing excessive cookies to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.84.0 **Description** The issue is related to how curl handles message verification failures when doing FTP transfers secured by krb5. This flaw allows a Man-In-The-Middle attack to go unnoticed and enables the injection of data to the client. **Recommendations** For versions prior to 7.84.0, update to version 7.84.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** curl versions prior to 7.84.0 **Description** The issue concerns the support for "chained" HTTP compression algorithms in curl, where a server response can be compressed multiple times with different algorithms. A malicious server can exploit this by inserting a virtually unlimited number of compression steps, leading to a "malloc bomb" and causing curl to spend enormous amounts of allocated heap memory or return out of memory errors. This can result in a denial of service condition. **Recommendations** For versions prior to 7.84.0, update to curl version 7.84.0 to resolve the issue. As a temporary workaround, consider restricting the use of the "chained" HTTP compression algorithms to minimize the risk of exploitation. Avoid connecting to specially-crafted servers that could insert a large number of compression steps.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue is related to how libcurl handles previously used connections in a connection pool for subsequent transfers. When a TLS or SSH-related option is changed, it should prohibit the reuse of a previously created connection. However, several TLS and SSH settings were left out of the configuration match checks, making them match too easily. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl versions 7.65.0 through 7.82.0 **Description** The issue is related to the implementation of the configuration matching function in the curl utility, which does not properly handle IPv6 address zone IDs. This can lead to incorrect connections being made when one transfer uses a zone ID and a subsequent transfer uses a different (or no) zone ID. The vulnerability allows a remote attacker to potentially reuse a connection, leading to information disclosure. **Recommendations** For curl versions 7.65.0 through 7.82.0, update to a version that fixes the issue with the configuration matching function to prevent incorrect connections and potential information disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.