CVE-2019-5481

Name of the Vulnerable Software and Affected Versions libcurl versions 7.52.0 through 7.65.3

Description The issue is related to a double-free vulnerability in the FTP-kerberos code. This vulnerability can be exploited by a remote attacker to gain access to confidential data, compromise data integrity, and cause a denial of service. The vulnerability occurs when libcurl is used with the CURLOPT KRBLEVEL option to enable kerberos over FTP. A malicious server can send a large block of data, causing libcurl's realloc() call to fail, leading to a double-free error. This issue is more likely to occur on 32-bit systems due to memory allocation limitations.

Recommendations For libcurl versions 7.52.0 through 7.65.3, consider disabling the CURLOPT KRBLEVEL option as a temporary workaround to prevent exploitation until a patch is available. Restrict access to kerberos FTP to minimize the risk of exploitation. Avoid using kerberos authentication with untrusted servers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.