PT-2018-9297 · Curl+5 · Curl+5

Dario Weisser

Published

2018-03-14

Updated

2026-05-18

CVE-2018-1000121

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: curl versions 7.21.0 through 7.58.0

Description: A NULL pointer dereference issue exists in the LDAP code, allowing an attacker to cause a denial of service. The ldap get attribute ber() function can return a NULL pointer in the result pointer when getting a particularly crafted response, which can cause libcurl-using applications to crash. This issue affects applications that allow LDAP URLs or redirects to LDAP URLs.

Recommendations: For curl versions 7.21.0 through 7.58.0, consider disabling LDAP URL support as a temporary workaround until a patch is available. Restrict access to LDAP URLs to minimize the risk of exploitation. Avoid using the ldap get attribute ber() function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

ALT-PU-2018-1518

ALT-PU-2018-2456

CESA-2018_3157

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2018-1000121

DLA-1309-1

DSA-4136-1

MGASA-2018-0423

RHSA-2018:3157

RHSA-2018:3558

RHSA-2018_3157

RHSA-2020:0544

RHSA-2020:0594

SUSE-SU-2018:0769-1

SUSE-SU-2018:1323-1

USN-3598-1

USN-3598-2

Affected Products

Alt Linux

Centos

Red Hat

Suse

Ubuntu

Curl

PT-2018-9297 · Curl+5 · Curl+5

CVE-2018-1000121

Weakness Enumeration

Related Identifiers

Affected Products

References · 318