Information disclosure in cURL



Published: 2020-08-19
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-8231
CWE-ID CWE-825
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
cURL
Client/Desktop applications / Other client software

Vendor curl.haxx.se

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Expired pointer dereference

EUVDB-ID: #VU45794

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8231

CWE-ID: CWE-825 - Expired pointer dereference

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to expired pointer dereference error for CURLOPT_CONNECT_ONLY connections that may lead to information disclosure. If the application is using the CURLOPT_CONNECT_ONLY option to check if the website is accessible, an attacker might abuse this feature and force the application to re-use expired connection and send data intended to another connection to attacker controlled server.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

cURL: 7.29.0, 7.30.0, 7.31.0, 7.32.0, 7.33.0, 7.34.0, 7.35.0, 7.36.0, 7.37.0, 7.37.1, 7.38.0, 7.39.0, 7.40.0, 7.41.0, 7.42.0, 7.42.1, 7.43.0, 7.44.0, 7.45.0, 7.46.0, 7.47.0, 7.47.1, 7.48.0, 7.49.0, 7.49.1, 7.50.0, 7.50.1, 7.50.2, 7.50.3, 7.51.0, 7.52.0, 7.52.1, 7.53.0, 7.53.1, 7.54.0, 7.54.1, 7.55.0, 7.55.1, 7.56.0, 7.56.1, 7.57.0, 7.58.0, 7.59.0, 7.60.0, 7.61.0, 7.61.1, 7.62.0, 7.63.0, 7.64.0, 7.64.1, 7.65.0, 7.65.1, 7.65.2, 7.65.3, 7.66.0, 7.67.0, 7.68.0, 7.69.0, 7.69.1, 7.70.0, 7.71.0, 7.71.1

CPE2.3 External links

http://curl.haxx.se/docs/CVE-2020-8231.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###