Denial of Service Vulnerability in cURL and libcurl by Vendor
CVE-2015-3144

Currently unrated

Key Information:

Vendor: Oracle
Status: Mysql Enterprise Monitor
Vendor: CVE Published:; 24 April 2015

Summary

The fix_hostname function in cURL and libcurl versions 7.37.0 to 7.41.0 suffers from a flaw in index calculation. This issue allows remote attackers to exploit the vulnerability by sending requests with a zero-length hostname, such as 'http://:80' or ':80', leading to potential denial of service through crashes or out-of-bounds read or write operations. Users of affected versions should consider updating to safeguard against these possible exploits.

References

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

http://www.oracle.com/technetwork/topics/security/cpuoct2...

x_refsource_CONFIRM

http://www.debian.org/security/2015/dsa-3232

vendor-advisoryx_refsource_DEBIAN

Timeline

Vulnerability published
Apr 24, 2015
Vulnerability Reserved
Apr 10, 2015