Stefan Eissing

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** A logical error in the connection pooling mechanism allows libcurl to reuse an incorrect connection during authenticated HTTP(S) requests to the same host. If an application first performs a request using Negotiate authentication with one set of credentials and subsequently attempts another request to the same server with different credentials while the initial connection is still active, the second request may wrongly reuse the existing connection. This results in the second request being sent over a connection still authenticated with the first user's credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** When using the Certificate Status Request TLS extension, commonly known as OCSP stapling, to verify server certificate validity, the software fails to detect OCSP problems and incorrectly treats the response as valid. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** The software is susceptible to a use-after-free issue when handling SMB connection reuse. Specifically, when a second SMB request is made to the same host, the software incorrectly utilizes a data pointer that has already been freed from memory. This can lead to unpredictable behavior and potential security consequences. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** curl (affected versions not specified) **Description** curl improperly reuses an existing HTTP proxy connection when performing a CONNECT request to a server, even if the new request uses different credentials for the HTTP proxy. The expected behavior is to establish or utilize a distinct connection. This issue involves incorrect handling of proxy connections and authentication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue arises from an omission in libcurl's support for pinning the server certificate public key for HTTPS transfers when using QUIC for HTTP/3 with the wolfSSL TLS backend. Although the documentation suggests that this option works with wolfSSL, it fails to specify that the check is not performed in the context of QUIC and HTTP/3. As a result, users may unwittingly connect to an impostor server without noticing, since the transfer will succeed if the pin is fine. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue occurs when libcurl establishes a QUIC connection to a host specified as an IP address in the URL, resulting in the accidental skipping of certificate verification. This failure to verify certificates makes it impossible to detect impostors or man-in-the-middle attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue is related to the `GTime2str()` function in libcurl's ASN1 parser code, which is used for parsing an ASN.1 Generalized Time field. If given a syntactically incorrect field, the parser might end up using -1 for the length of the `time fraction`, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when `CURLINFO CERTINFO` is used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue is related to the implementation of TLS protocols in libcurl, where the server certificate is not checked when connecting to a host specified as an IP address, when built to use mbedTLS. This affects all uses of TLS protocols, including HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc. The vulnerability can be exploited by a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libcurl (affected versions not specified) **Description** The issue is related to a memory leak in libcurl when handling HTTP/2 server push. When the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push and inadvertently leaks memory. This error condition fails silently, making it difficult for applications to detect. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.