curl / Docs / Vulnerability table / 7.11.1 vulnerabilities

Vulnerabilities in curl 7.11.1

curl version 7.11.1 was released on March 19 2004. The following 34 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
trusting FTP PASV responses	4.0	7.73.0	CVE-2020-8284	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
HTTP authentication leak in redirects	6.0	7.57.0	CVE-2018-1000007	CWE-522: Insufficiently Protected Credentials
FTP PWD response parser out of bounds read	7.7	7.55.1	CVE-2017-1000254	CWE-126: Buffer Over-read
--write-out out of buffer read	6.5	7.53.1	CVE-2017-7407	CWE-126: Buffer Over-read
printf floating point buffer overflow	7.1	7.51.0	CVE-2016-9586	CWE-121: Stack-based Buffer Overflow
cookie injection for other servers	7.1	7.50.3	CVE-2016-8615	CWE-187: Partial Comparison
case insensitive password comparison	7.7	7.50.3	CVE-2016-8616	CWE-178: Improper Handling of Case Sensitivity
OOB write via unchecked multiplication	7.1	7.50.3	CVE-2016-8617	CWE-131: Incorrect Calculation of Buffer Size
double-free in curl_maprintf	7.1	7.50.3	CVE-2016-8618	CWE-415: Double Free
double-free in krb5 code	7.3	7.50.3	CVE-2016-8619	CWE-415: Double Free
Use-after-free via shared cookies	7.10.7	7.50.3	CVE-2016-8623	CWE-416: Use After Free
invalid URL parsing with '#'	7.1	7.50.3	CVE-2016-8624	CWE-172: Encoding Error
curl escape and unescape integer overflows	7.11.1	7.50.2	CVE-2016-7167	CWE-131: Incorrect Calculation of Buffer Size
TLS session resumption client cert bypass	7.1	7.50.0	CVE-2016-5419	CWE-305: Authentication Bypass by Primary Weakness
Re-using connections with wrong client cert	7.1	7.50.0	CVE-2016-5420	CWE-305: Authentication Bypass by Primary Weakness
Windows DLL hijacking	7.11.1	7.49.0	CVE-2016-4802	CWE-94: Improper Control of Generation of Code ('Code Injection')
NTLM credentials not-checked for proxy connection re-use	7.10.7	7.46.0	CVE-2016-0755	CWE-305: Authentication Bypass by Primary Weakness
sensitive HTTP server headers also sent to proxies	7.1	7.42.0	CVE-2015-3153	CWE-201: Information Exposure Through Sent Data
Negotiate not treated as connection-oriented	7.10.6	7.41.0	CVE-2015-3148	CWE-305: Authentication Bypass by Primary Weakness
Re-using authenticated connection when unauthenticated	7.10.6	7.41.0	CVE-2015-3143	CWE-305: Authentication Bypass by Primary Weakness
URL request injection	6.0	7.39.0	CVE-2014-8150	CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
cookie leak with IP address as domain	7.1	7.37.1	CVE-2014-3613	CWE-201: Information Exposure Through Sent Data
IP address wildcard certificate validation	7.1	7.35.0	CVE-2014-0139	CWE-297: Improper Validation of Certificate with Host Mismatch
wrong re-use of connections	7.10.7	7.35.0	CVE-2014-0138	CWE-305: Authentication Bypass by Primary Weakness
re-use of wrong HTTP NTLM connection	7.10.6	7.34.0	CVE-2014-0015	CWE-305: Authentication Bypass by Primary Weakness
URL decode buffer boundary flaw	7.7	7.30.0	CVE-2013-2174	CWE-126: Buffer Over-read
cookie domain tailmatch	6.0	7.29.0	CVE-2013-1944	CWE-201: Information Exposure Through Sent Data
SSL CBC IV vulnerability	7.10.6	7.23.1	CVE-2011-3389	CWE-924: Improper Enforcement of Message Integrity
inappropriate GSSAPI delegation	7.10.6	7.21.6	CVE-2011-2192	CWE-281: Improper Preservation of Permissions
data callback excessive length	7.10.5	7.19.7	CVE-2010-0734	CWE-628: Function Call with Incorrectly Specified Arguments
embedded zero in cert name	7.4	7.19.5	CVE-2009-2417	CWE-170: Improper Null Termination
Arbitrary File Access	6.0	7.19.3	CVE-2009-0037	CWE-142: Improper Neutralization of Value Delimiters
NTLM Buffer Overflow	7.10.6	7.14.1	CVE-2005-3185	CWE-121: Stack-based Buffer Overflow
Authentication Buffer Overflows	7.3	7.13.0	CVE-2005-0490	CWE-121: Stack-based Buffer Overflow

Changelog for curl 7.11.1

See vulnerability summary for the previous release: 7.11.0 or the subsequent release: 7.11.2