Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs TODO Web Site Info
Protocols
HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs CA Extract SSL libs compared URL syntax
Releases
Changelog Release Table Security Problems Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Vulnerability table / 7.61.0 vulnerabilities

Vulnerabilities in curl 7.61.0

Related:
Bug Bounty
Changelog
Donate
FAQ
Security Problems
Security Process
Vulnerabilities Table

curl version 7.61.0 was released on July 11 2018. The following 26 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
STARTTLS protocol injection via MITM7.20.07.78.0CVE-2021-22947CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed7.20.07.78.0CVE-2021-22946CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport7.33.07.77.0CVE-2021-22926CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again7.77.77.0CVE-2021-22925CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks7.10.47.77.0CVE-2021-22924CWE-295: Improper Certificate Validation
Metalink download sends credentials7.27.07.77.0CVE-2021-22923CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded7.27.07.77.0CVE-2021-22922CWE-20: Improper Input Validation
TELNET stack contents disclosure7.77.76.1CVE-2021-22898CWE-457: Use of Uninitialized Variable
schannel cipher selection surprise7.61.07.76.1CVE-2021-22897CWE-488: Exposure of Data Element to Wrong Session
Automatic referer leaks credentials7.1.17.75.0CVE-2021-22876CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification7.41.07.73.0CVE-2020-8286CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow7.21.07.73.0CVE-2020-8285CWE-674: Uncontrolled Recursion
trusting FTP PASV responses4.07.73.0CVE-2020-8284CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
wrong connect-only connection7.29.07.71.1CVE-2020-8231CWE-825: Expired Pointer Dereference
curl overwrite local file with -J7.20.07.70.0CVE-2020-8177CWE-641: Improper Restriction of Names for Files and Other Resources
FTP-KRB double-free7.52.07.65.3CVE-2019-5481CWE-415: Double Free
TFTP small blocksize heap buffer overflow7.19.47.65.3CVE-2019-5482CWE-122: Heap-based Buffer Overflow
Windows OpenSSL engine code injection7.61.07.65.1CVE-2019-5443CWE-94: Code Injection
TFTP receive buffer overflow7.19.47.64.1CVE-2019-5436CWE-122: Heap-based Buffer Overflow
NTLM type-2 out-of-bounds buffer read7.36.07.63.0CVE-2018-16890CWE-125: Out-of-bounds Read
NTLMv2 type-3 header stack buffer overflow7.36.07.63.0CVE-2019-3822CWE-121: Stack-based Buffer Overflow
SMTP end-of-response out-of-bounds read7.34.07.63.0CVE-2019-3823CWE-125: Out-of-bounds Read
warning message out-of-buffer read7.14.17.61.1CVE-2018-16842CWE-125: Out-of-bounds Read
use-after-free in handle close7.59.07.61.1CVE-2018-16840CWE-416: Use After Free
SASL password overflow via integer overflow7.33.07.61.1CVE-2018-16839CWE-131: Incorrect Calculation of Buffer Size
NTLM password overflow via integer overflow7.15.47.61.0CVE-2018-14618CWE-131: Incorrect Calculation of Buffer Size

Changelog for curl 7.61.0

See vulnerability summary for the previous release: 7.60.0 or the subsequent release: 7.61.1