CVE-2019-5482

Name of the Vulnerable Software and Affected Versions cURL versions 7.19.4 through 7.65.3

Description The issue is related to a heap buffer overflow in the TFTP protocol handler. This can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. The flaw is triggered when a TFTP server sends an OACK without the BLKSIZE option, and a BLKSIZE smaller than 512 bytes was requested by the TFTP client. The tftp receive packet() function in libcurl is associated with this overflow, allowing the server to control the content that overwrites the heap memory.

Recommendations For cURL versions 7.19.4 through 7.65.3, consider disabling the tftp receive packet() function as a temporary workaround until a patch is available. Restrict access to TFTP servers that use the OACK extension without the BLKSIZE option to minimize the risk of exploitation. Avoid using smaller block sizes than the default, as this is a rare use case and can increase the risk of triggering the flaw. At the moment, there is no information about a newer version that contains a fix for this vulnerability.