Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-DEBIAN11-CURL-520547
- published 6 Feb 2019
- disclosed 6 Feb 2019
How to fix?
curl to version 7.64.0-1 or higher.
Note: Versions mentioned in the description apply only to the upstream
curl package and not the
curl package as distributed by
How to fix? for
Debian:11 relevant fixed versions and status.
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (
lib/vauth/ntlm.c:ntlm_decode_type2_target) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.