Arbitrary code execution in libcurl

Published: 2017-06-16 16:00:59
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-9502
CVSSv3 7.5 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CWE ID CWE-120
Exploitation vector Local
Public exploit Not available
Vulnerable software libcurl
Vulnerable software versions libcurl 7.53.0
libcurl 7.53.1
libcurl 7.54.0
Vendor URL curl.haxx.se

Security Advisory

1) Buffer overflow

Description

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists on Windows-based and DOS-based systems due to buffer overflow when handling malicious input. A local attacker can supply a specially crafted 'file:' URL without the '//' following the colon character, trigger memory corruption and execute arbitrary code on the target system with the privileges of the application using libcurl.

Successful exploitation of the vulnerability may result in full system compromise.

Remediation

Update to version 7.54.1.

External links

https://curl.haxx.se/docs/adv_20170614.html

Back to List