curl / Docs / Vulnerability table / 7.19.4 vulnerabilities

Vulnerabilities in curl 7.19.4

curl version 7.19.4 was released on March 3 2009. The following 50 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
control code in cookie denial of service	4.9	7.84.0	CVE-2022-35252	CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification	7.16.4	7.83.1	CVE-2022-32208	CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
TLS and SSH connection too eager reuse	7.16.1	7.83.0	CVE-2022-27782	CWE-305: Authentication Bypass by Primary Weakness
Auth/cookie leak on redirect	4.9	7.82.0	CVE-2022-27776	CWE-522: Insufficiently Protected Credentials
Credential leak on redirect	4.9	7.82.0	CVE-2022-27774	CWE-522: Insufficiently Protected Credentials
TELNET stack contents disclosure again	7.7	7.77.0	CVE-2021-22925	CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks	7.10.4	7.77.0	CVE-2021-22924	CWE-295: Improper Certificate Validation
TELNET stack contents disclosure	7.7	7.76.1	CVE-2021-22898	CWE-457: Use of Uninitialized Variable
Automatic referer leaks credentials	7.1.1	7.75.0	CVE-2021-22876	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
trusting FTP PASV responses	4.0	7.73.0	CVE-2020-8284	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
TFTP small blocksize heap buffer overflow	7.19.4	7.65.3	CVE-2019-5482	CWE-122: Heap-based Buffer Overflow
TFTP receive buffer overflow	7.19.4	7.64.1	CVE-2019-5436	CWE-122: Heap-based Buffer Overflow
warning message out-of-buffer read	7.14.1	7.61.1	CVE-2018-16842	CWE-125: Out-of-bounds Read
NTLM password overflow via integer overflow	7.15.4	7.61.0	CVE-2018-14618	CWE-131: Incorrect Calculation of Buffer Size
FTP path trickery leads to NIL byte out of bounds write	7.12.3	7.58.0	CVE-2018-1000120	CWE-122: Heap-based Buffer Overflow
HTTP authentication leak in redirects	6.0	7.57.0	CVE-2018-1000007	CWE-522: Insufficiently Protected Credentials
FTP PWD response parser out of bounds read	7.7	7.55.1	CVE-2017-1000254	CWE-126: Buffer Over-read
TFTP sends more than buffer size	7.15.0	7.54.1	CVE-2017-1000100	CWE-126: Buffer Over-read
--write-out out of buffer read	6.5	7.53.1	CVE-2017-7407	CWE-126: Buffer Over-read
printf floating point buffer overflow	5.4	7.51.0	CVE-2016-9586	CWE-121: Stack-based Buffer Overflow
cookie injection for other servers	4.9	7.50.3	CVE-2016-8615	CWE-187: Partial Comparison
case insensitive password comparison	7.7	7.50.3	CVE-2016-8616	CWE-178: Improper Handling of Case Sensitivity
OOB write via unchecked multiplication	7.3	7.50.3	CVE-2016-8617	CWE-131: Incorrect Calculation of Buffer Size
double-free in curl_maprintf	5.4	7.50.3	CVE-2016-8618	CWE-415: Double Free
double-free in krb5 code	7.3	7.50.3	CVE-2016-8619	CWE-415: Double Free
curl_getdate read out of bounds	7.12.2	7.50.3	CVE-2016-8621	CWE-126: Buffer Over-read
Use-after-free via shared cookies	7.10.7	7.50.3	CVE-2016-8623	CWE-416: Use After Free
invalid URL parsing with '#'	6.0	7.50.3	CVE-2016-8624	CWE-172: Encoding Error
IDNA 2003 makes curl use wrong host	7.12.0	7.50.3	CVE-2016-8625	CWE-838: Inappropriate Encoding for Output Context
curl escape and unescape integer overflows	7.11.1	7.50.2	CVE-2016-7167	CWE-131: Incorrect Calculation of Buffer Size
TLS session resumption client cert bypass	5.0	7.50.0	CVE-2016-5419	CWE-305: Authentication Bypass by Primary Weakness
Re-using connections with wrong client cert	7.7	7.50.0	CVE-2016-5420	CWE-305: Authentication Bypass by Primary Weakness
Windows DLL hijacking	7.11.1	7.49.0	CVE-2016-4802	CWE-94: Improper Control of Generation of Code ('Code Injection')
NTLM credentials not-checked for proxy connection re-use	7.10.7	7.46.0	CVE-2016-0755	CWE-305: Authentication Bypass by Primary Weakness
sensitive HTTP server headers also sent to proxies	4.0	7.42.0	CVE-2015-3153	CWE-201: Information Exposure Through Sent Data
Negotiate not treated as connection-oriented	7.10.6	7.41.0	CVE-2015-3148	CWE-305: Authentication Bypass by Primary Weakness
Re-using authenticated connection when unauthenticated	7.10.6	7.41.0	CVE-2015-3143	CWE-305: Authentication Bypass by Primary Weakness
URL request injection	6.0	7.39.0	CVE-2014-8150	CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
duphandle read out of bounds	7.17.1	7.38.0	CVE-2014-3707	CWE-126: Buffer Over-read
cookie leak with IP address as domain	4.0	7.37.1	CVE-2014-3613	CWE-201: Information Exposure Through Sent Data
IP address wildcard certificate validation	7.10.3	7.35.0	CVE-2014-0139	CWE-297: Improper Validation of Certificate with Host Mismatch
wrong re-use of connections	7.10.7	7.35.0	CVE-2014-0138	CWE-305: Authentication Bypass by Primary Weakness
re-use of wrong HTTP NTLM connection	7.10.6	7.34.0	CVE-2014-0015	CWE-305: Authentication Bypass by Primary Weakness
cert name check ignore OpenSSL	7.18.0	7.32.0	CVE-2013-4545	CWE-297: Improper Validation of Certificate with Host Mismatch
URL decode buffer boundary flaw	7.7	7.30.0	CVE-2013-2174	CWE-126: Buffer Over-read
cookie domain tailmatch	6.0	7.29.0	CVE-2013-1944	CWE-201: Information Exposure Through Sent Data
SSL CBC IV vulnerability	7.10.6	7.23.1	CVE-2011-3389	CWE-924: Improper Enforcement of Message Integrity
inappropriate GSSAPI delegation	7.10.6	7.21.6	CVE-2011-2192	CWE-281: Improper Preservation of Permissions
data callback excessive length	7.10.5	7.19.7	CVE-2010-0734	CWE-628: Function Call with Incorrectly Specified Arguments
embedded zero in cert name	7.4	7.19.5	CVE-2009-2417	CWE-170: Improper Null Termination

Changelog for curl 7.19.4

See vulnerability summary for the previous release: 7.19.3 or the subsequent release: 7.19.5