curl - HackerOne Reports
View on HackerOne247
Total Reports
13
Critical
47
High
82
Medium
64
Low
CVE-2022-27779: cookie for trailing dot TLD
Reported by:
haxatron1
|
Disclosed:
Medium
Weakness: Information Exposure Through Sent Data
CVEs:
CVE-2014-3620
CVE-2022-27780: percent-encoded path separator in URL host
Reported by:
haxatron1
|
Disclosed:
Medium
Weakness: Server-Side Request Forgery (SSRF)
CVE-2022-27778: curl removes wrong file on error
Reported by:
nyymi
|
Disclosed:
Medium
Weakness: Business Logic Errors
OpenSSL HTTP/3 bogus CURLINFO_TLS_SSL_PTR
Reported by:
nyymi
|
Disclosed:
Weakness: Use After Free
GnuTLS CURLINFO_TLS_SESSION / CURLINFO_TLS_SSL_PTR type confusion
Reported by:
nyymi
|
Disclosed:
Weakness: Type Confusion
CVE-2019-5435: An integer overflow found in /lib/urlapi.c
Reported by:
1wc
|
Disclosed:
Low
Weakness: Incorrect Calculation of Buffer Size
CVEs:
CVE-2018-14618
Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4
Reported by:
b3fbcf5debe00185bbe06c0
|
Disclosed:
High
Weakness: Classic Buffer Overflow
Integer overflows in tool_operate.c at line 1541
Reported by:
cjun
|
Disclosed:
Low
Weakness: Integer Overflow
CVE-2023-27538: SSH connection too eager reuse still
Reported by:
nyymi
|
Disclosed:
Low
Weakness: Authentication Bypass by Primary Weakness
[High] MITM via Insecure CA Path Handling in cURL (--capath, CURLOPT_CAPATH) (CWE-494: Download of Code Without Integrity Check)
Reported by:
oicus
|
Disclosed:
High
Weakness: Reliance on Untrusted Inputs in a Security Decision
CVEs:
CVE-2022-32221
[High] Arbitrary File Write via Path Traversal in cURL CLI (`-o`, `--output`) (CWE-22: Improper Limitation of a Pathname to a Restricted Directory)
Reported by:
oicus
|
Disclosed:
High
Weakness: Path Traversal
CVEs:
CVE-2020-8284
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
Reported by:
mszpl
|
Disclosed:
Medium
Weakness: Information Disclosure
Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c
Reported by:
sanchitcfc
|
Disclosed:
High
Weakness: Use of a Broken or Risky Cryptographic Algorithm
HTTP Proxy Bypass via `CURLOPT_CUSTOMREQUEST` Verb Tunneling
Reported by:
alphox
|
Disclosed:
High
Weakness: Improper Access Control - Generic
Default Minimum TLS Version Set to TLS v1.0 (Cryptographic Weakness)
Reported by:
monkey_dee
|
Disclosed:
Medium
Weakness: Use of a Broken or Risky Cryptographic Algorithm
CVE-2023-38039: HTTP header allocation DOS
Reported by:
selmelc
|
Disclosed:
Medium
Weakness: Allocation of Resources Without Limits or Throttling
Unexpected access to process open files via file:///proc/self/fd/n
Reported by:
nyymi
|
Disclosed:
High
Weakness: Information Disclosure
Insecure Frame (External)
Reported by:
caesardiedd
|
Disclosed:
Low
Active Mixed Content over HTTPS
Reported by:
caesardiedd
|
Disclosed:
Medium
CVE-2023-23914: curl HSTS ignored on multiple requests
Reported by:
nyymi
|
Disclosed:
Low
Weakness: Cleartext Transmission of Sensitive Information