SB2012020208 - SQL injection in curl (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) SQL injection (CVE-ID: CVE-2012-0036)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=6e5c47e2e08e17d1a42d9f3865eec2d6a0a941fd
• https://git.alpinelinux.org/aports/commit/?id=76b7efcfd70b565bb63160dca4268c99f6d0770c
• https://git.alpinelinux.org/aports/commit/?id=8fdf25f4310c5206bb1aac5d052d642b65c7bced