CVE-2020-8231

Name of the Vulnerable Software and Affected Versions libcurl versions 7.29.0 through 7.71.1

Description The issue is related to the use of a dangling pointer, which can cause libcurl to use the wrong connection when sending data. This can lead to a remote attacker gaining access to confidential data. The problem occurs when an application uses libcurl's multi API, sets the CURLOPT CONNECT ONLY option, and then experiences rare circumstances where libcurl picks and uses the wrong connection. The CURLOPT CONNECT ONLY option tells libcurl to only connect, not perform an actual transfer. If the initial connect-only connection is closed, and new transfers are set up, a new connection might end up getting the same memory address as the closed connect-only connection. As a result, libcurl could erroneously find an existing connection still being alive at the remembered address, even though it is now a new and different connection. This can cause the application to accidentally send data over the wrong connection.

Recommendations For libcurl versions 7.29.0 through 7.71.1, consider disabling the CURLOPT CONNECT ONLY option as a temporary workaround until a patch is available. Restrict access to the multi API to minimize the risk of exploitation. Avoid using the curl easy send() function to send raw data over a connection that was set up with the CURLOPT CONNECT ONLY option until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.