Heap-Based Buffer Over-Read in Curl by Haxx
CVE-2018-16842

4.4MEDIUM

Key Information:

Vendor

The Curl Project

Status
Curl:
Vendor
CVE Published:
31 October 2018

What is CVE-2018-16842?

Curl versions between 7.14.1 and 7.61.1 contain a vulnerability in the tool_msgs.c:voutf() function that can result in a heap-based buffer over-read. This can potentially lead to unintended information exposure and could also result in denial of service. Users are advised to update to the latest versions to mitigate this issue.

Affected Version(s)

curl: from 7.14.1 to 7.61.1

References

https://security.gentoo.org/glsa/201903-03
vendor-advisoryx_refsource_GENTOO
https://www.debian.org/security/2018/dsa-4331
vendor-advisoryx_refsource_DEBIAN
https://lists.debian.org/debian-lts-announce/2018/11/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.