2019-02-06 21:29:00 2019-07-24 01:15:29

libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL
Siemens Sinema remote connect client 2.0 (not an official CPE) Oracle Secure global desktop 5.4 (not an official CPE) Oracle Http server 12.2.1.3.0 (not an official CPE) Oracle Communications operations monitor 4.0 (not an official CPE) Oracle Communications operations monitor 3.4 (not an official CPE) Haxx Libcurl 7.63.0 (not an official CPE) Haxx Libcurl 7.62.0 (not an official CPE) Haxx Libcurl 7.61.1 (not an official CPE) Haxx Libcurl 7.61.0 (not an official CPE) Haxx Libcurl 7.60.0 (not an official CPE) Haxx Libcurl 7.59.0 (not an official CPE) Haxx Libcurl 7.58.0 (not an official CPE) Haxx Libcurl 7.57.0 (not an official CPE) Haxx Libcurl 7.56.1 (not an official CPE) Haxx Libcurl 7.56.0 (not an official CPE) Haxx Libcurl 7.55.1 (not an official CPE) Haxx Libcurl 7.55.0 (not an official CPE) Haxx Libcurl 7.54.1 (not an official CPE) Haxx Libcurl 7.54.0 (not an official CPE) Haxx Libcurl 7.53.1 (not an official CPE) Haxx Libcurl 7.53.0 (not an official CPE) Haxx Libcurl 7.52.1 (not an official CPE) Haxx Libcurl 7.52.0 (not an official CPE) Haxx Libcurl 7.51.0 (not an official CPE) Haxx Libcurl 7.50.3 (not an official CPE) Haxx Libcurl 7.50.2 (not an official CPE) Haxx Libcurl 7.50.1 (not an official CPE) Haxx Libcurl 7.50.0 (not an official CPE) Haxx Libcurl 7.49.1 (not an official CPE) Haxx Libcurl 7.49.0 (not an official CPE) Haxx Libcurl 7.48.0 (not an official CPE) Haxx Libcurl 7.47.1 (not an official CPE) Haxx Libcurl 7.43.0 (not an official CPE) Haxx Libcurl 7.44.0 (not an official CPE) Haxx Libcurl 7.45.0 (not an official CPE) Haxx Libcurl 7.46.0 (not an official CPE) Haxx Libcurl 7.47.0 (not an official CPE) Haxx libcurl 7.42.1 Haxx libcurl 7.42.0 Haxx Libcurl 7.42 (not an official CPE) Haxx libcurl 7.40.0 Haxx libcurl 7.41.0 Haxx Libcurl 7.39.0 (not an official CPE) Haxx libcurl 7.39 Haxx libcurl 7.38.0 Haxx libcurl 7.37.1 Haxx libcurl 7.37.0 Haxx libcurl 7.36.0