curl / Docs / Vulnerability table / 7.56.0 vulnerabilities

Vulnerabilities in curl 7.56.0

curl version 7.56.0 was released on October 4 2017. The following 35 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
STARTTLS protocol injection via MITM	7.20.0	7.78.0	CVE-2021-22947	CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed	7.20.0	7.78.0	CVE-2021-22946	CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport	7.33.0	7.77.0	CVE-2021-22926	CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again	7.7	7.77.0	CVE-2021-22925	CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks	7.10.4	7.77.0	CVE-2021-22924	CWE-295: Improper Certificate Validation
Metalink download sends credentials	7.27.0	7.77.0	CVE-2021-22923	CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded	7.27.0	7.77.0	CVE-2021-22922	CWE-20: Improper Input Validation
TELNET stack contents disclosure	7.7	7.76.1	CVE-2021-22898	CWE-457: Use of Uninitialized Variable
Automatic referer leaks credentials	7.1.1	7.75.0	CVE-2021-22876	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification	7.41.0	7.73.0	CVE-2020-8286	CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow	7.21.0	7.73.0	CVE-2020-8285	CWE-674: Uncontrolled Recursion
trusting FTP PASV responses	4.0	7.73.0	CVE-2020-8284	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
wrong connect-only connection	7.29.0	7.71.1	CVE-2020-8231	CWE-825: Expired Pointer Dereference
curl overwrite local file with -J	7.20.0	7.70.0	CVE-2020-8177	CWE-641: Improper Restriction of Names for Files and Other Resources
FTP-KRB double-free	7.52.0	7.65.3	CVE-2019-5481	CWE-415: Double Free
TFTP small blocksize heap buffer overflow	7.19.4	7.65.3	CVE-2019-5482	CWE-122: Heap-based Buffer Overflow
TFTP receive buffer overflow	7.19.4	7.64.1	CVE-2019-5436	CWE-122: Heap-based Buffer Overflow
NTLM type-2 out-of-bounds buffer read	7.36.0	7.63.0	CVE-2018-16890	CWE-125: Out-of-bounds Read
NTLMv2 type-3 header stack buffer overflow	7.36.0	7.63.0	CVE-2019-3822	CWE-121: Stack-based Buffer Overflow
SMTP end-of-response out-of-bounds read	7.34.0	7.63.0	CVE-2019-3823	CWE-125: Out-of-bounds Read
warning message out-of-buffer read	7.14.1	7.61.1	CVE-2018-16842	CWE-125: Out-of-bounds Read
SASL password overflow via integer overflow	7.33.0	7.61.1	CVE-2018-16839	CWE-131: Incorrect Calculation of Buffer Size
NTLM password overflow via integer overflow	7.15.4	7.61.0	CVE-2018-14618	CWE-131: Incorrect Calculation of Buffer Size
SMTP send heap buffer overflow	7.54.1	7.60.0	CVE-2018-0500	CWE-122: Heap-based Buffer Overflow
FTP shutdown response buffer overflow	7.54.1	7.59.0	CVE-2018-1000300	CWE-122: Heap-based Buffer Overflow
RTSP bad headers buffer over-read	7.20.0	7.59.0	CVE-2018-1000301	CWE-126: Buffer Over-read
RTSP RTP buffer over-read	7.20.0	7.58.0	CVE-2018-1000122	CWE-126: Buffer Over-read
LDAP NULL pointer dereference	7.21.0	7.58.0	CVE-2018-1000121	CWE-476: NULL Pointer Dereference
FTP path trickery leads to NIL byte out of bounds write	7.12.3	7.58.0	CVE-2018-1000120	CWE-122: Heap-based Buffer Overflow
HTTP authentication leak in redirects	6.0	7.57.0	CVE-2018-1000007	CWE-522: Insufficiently Protected Credentials
HTTP/2 trailer out-of-bounds read	7.49.0	7.57.0	CVE-2018-1000005	CWE-126: Buffer Over-read
SSL out of buffer access	7.56.0	7.56.1	CVE-2017-8818	CWE-125: Out-of-bounds Read
FTP wildcard out of bounds read	7.21.0	7.56.1	CVE-2017-8817	CWE-126: Buffer Over-read
NTLM buffer overflow via integer overflow	7.36.0	7.56.1	CVE-2017-8816	CWE-131: Incorrect Calculation of Buffer Size
IMAP FETCH response out of bounds read	7.20.0	7.56.0	CVE-2017-1000257	CWE-126: Buffer Over-read

Changelog for curl 7.56.0

See vulnerability summary for the previous release: 7.55.1 or the subsequent release: 7.56.1