Integer overflow in curl (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-5435 |
| CWE-ID | CWE-190 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
curl (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Integer overflow
EUVDB-ID: #VU18583
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5435
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in curl_url_set() function on 32-bit systems. A remote attacker can pass an overly long URL to the affected application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionscurl (Alpine package): 7.62.0-r0 - 7.64.0-r1
External linkshttp://git.alpinelinux.org/aports/commit/?id=1c04cce7036cdb842535ee6ad5f944794fc04c74
http://git.alpinelinux.org/aports/commit/?id=5b3d6caf5ec2dd362978aa3e81badf606daa76ef
http://git.alpinelinux.org/aports/commit/?id=f4c02c83cf9d1a3f4bbb31b4a9dfd48e58a1fbca
http://git.alpinelinux.org/aports/commit/?id=f8e74ed5d486b34f474038f07979498dba33a6f1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
