curl / Docs / Vulnerability table / 7.52.1 vulnerabilities

Vulnerabilities in curl 7.52.1

curl version 7.52.1 was released on December 23 2016. The following 52 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
SSH connection too eager reuse still	7.16.1	7.88.1	CVE-2023-27538	CWE-305: Authentication Bypass by Primary Weakness
GSS delegation too eager connection re-use	7.22.0	7.88.1	CVE-2023-27536	CWE-305: Authentication Bypass by Primary Weakness
FTP too eager connection reuse	7.13.0	7.88.1	CVE-2023-27535	CWE-305: Authentication Bypass by Primary Weakness
SFTP path ~ resolving discrepancy	7.18.0	7.88.1	CVE-2023-27534	CWE-22: Improper Limitation of a Pathname to a Restricted Directory
TELNET option IAC injection	7.7	7.88.1	CVE-2023-27533	CWE-75: Failure to Sanitize Special Elements into a Different Plane
HTTP Proxy deny use-after-free	7.16.0	7.86.0	CVE-2022-43552	CWE-416: Use After Free
POST following PUT confusion	7.7	7.85.0	CVE-2022-32221	CWE-440: Expected Behavior Violation
control code in cookie denial of service	4.9	7.84.0	CVE-2022-35252	CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification	7.16.4	7.83.1	CVE-2022-32208	CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
TLS and SSH connection too eager reuse	7.16.1	7.83.0	CVE-2022-27782	CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop	7.34.0	7.83.0	CVE-2022-27781	CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Auth/cookie leak on redirect	4.9	7.82.0	CVE-2022-27776	CWE-522: Insufficiently Protected Credentials
Credential leak on redirect	4.9	7.82.0	CVE-2022-27774	CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use	7.33.0	7.82.0	CVE-2022-22576	CWE-305: Authentication Bypass by Primary Weakness
STARTTLS protocol injection via MITM	7.20.0	7.78.0	CVE-2021-22947	CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed	7.20.0	7.78.0	CVE-2021-22946	CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport	7.33.0	7.77.0	CVE-2021-22926	CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again	7.7	7.77.0	CVE-2021-22925	CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks	7.10.4	7.77.0	CVE-2021-22924	CWE-295: Improper Certificate Validation
Metalink download sends credentials	7.27.0	7.77.0	CVE-2021-22923	CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded	7.27.0	7.77.0	CVE-2021-22922	CWE-20: Improper Input Validation
TELNET stack contents disclosure	7.7	7.76.1	CVE-2021-22898	CWE-457: Use of Uninitialized Variable
Automatic referer leaks credentials	7.1.1	7.75.0	CVE-2021-22876	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification	7.41.0	7.73.0	CVE-2020-8286	CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow	7.21.0	7.73.0	CVE-2020-8285	CWE-674: Uncontrolled Recursion
trusting FTP PASV responses	4.0	7.73.0	CVE-2020-8284	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
wrong connect-only connection	7.29.0	7.71.1	CVE-2020-8231	CWE-825: Expired Pointer Dereference
curl overwrite local file with -J	7.20.0	7.70.0	CVE-2020-8177	CWE-641: Improper Restriction of Names for Files and Other Resources
FTP-KRB double-free	7.52.0	7.65.3	CVE-2019-5481	CWE-415: Double Free
TFTP small blocksize heap buffer overflow	7.19.4	7.65.3	CVE-2019-5482	CWE-122: Heap-based Buffer Overflow
TFTP receive buffer overflow	7.19.4	7.64.1	CVE-2019-5436	CWE-122: Heap-based Buffer Overflow
NTLM type-2 out-of-bounds buffer read	7.36.0	7.63.0	CVE-2018-16890	CWE-125: Out-of-bounds Read
NTLMv2 type-3 header stack buffer overflow	7.36.0	7.63.0	CVE-2019-3822	CWE-121: Stack-based Buffer Overflow
SMTP end-of-response out-of-bounds read	7.34.0	7.63.0	CVE-2019-3823	CWE-125: Out-of-bounds Read
warning message out-of-buffer read	7.14.1	7.61.1	CVE-2018-16842	CWE-125: Out-of-bounds Read
SASL password overflow via integer overflow	7.33.0	7.61.1	CVE-2018-16839	CWE-131: Incorrect Calculation of Buffer Size
NTLM password overflow via integer overflow	7.15.4	7.61.0	CVE-2018-14618	CWE-131: Incorrect Calculation of Buffer Size
RTSP bad headers buffer over-read	7.20.0	7.59.0	CVE-2018-1000301	CWE-126: Buffer Over-read
RTSP RTP buffer over-read	7.20.0	7.58.0	CVE-2018-1000122	CWE-126: Buffer Over-read
LDAP NULL pointer dereference	7.21.0	7.58.0	CVE-2018-1000121	CWE-476: NULL Pointer Dereference
FTP path trickery leads to NIL byte out of bounds write	7.12.3	7.58.0	CVE-2018-1000120	CWE-122: Heap-based Buffer Overflow
HTTP authentication leak in redirects	6.0	7.57.0	CVE-2018-1000007	CWE-522: Insufficiently Protected Credentials
HTTP/2 trailer out-of-bounds read	7.49.0	7.57.0	CVE-2018-1000005	CWE-126: Buffer Over-read
FTP wildcard out of bounds read	7.21.0	7.56.1	CVE-2017-8817	CWE-126: Buffer Over-read
NTLM buffer overflow via integer overflow	7.36.0	7.56.1	CVE-2017-8816	CWE-131: Incorrect Calculation of Buffer Size
IMAP FETCH response out of bounds read	7.20.0	7.56.0	CVE-2017-1000257	CWE-126: Buffer Over-read
FTP PWD response parser out of bounds read	7.7	7.55.1	CVE-2017-1000254	CWE-126: Buffer Over-read
URL globbing out of bounds read	7.34.0	7.54.1	CVE-2017-1000101	CWE-126: Buffer Over-read
TFTP sends more than buffer size	7.15.0	7.54.1	CVE-2017-1000100	CWE-126: Buffer Over-read
TLS session resumption client cert bypass (again)	7.52.0	7.53.1	CVE-2017-7468	CWE-305: Authentication Bypass by Primary Weakness
--write-out out of buffer read	6.5	7.53.1	CVE-2017-7407	CWE-126: Buffer Over-read
SSL_VERIFYSTATUS ignored	7.52.0	7.52.1	CVE-2017-2629	CWE-304: Missing Critical Step in Authentication

Changelog for curl 7.52.1

See vulnerability summary for the previous release: 7.52.0 or the subsequent release: 7.53.0