curl / Docs / Vulnerability table / 7.61.0 vulnerabilities

Vulnerabilities in curl 7.61.0

curl version 7.61.0 was released on July 11 2018. The following 33 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
FTP-KRB bad message verification	7.16.4	7.83.1	CVE-2022-32208	CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
HTTP compression denial of service	7.57.0	7.83.1	CVE-2022-32206	CWE-770: Allocation of Resources Without Limits or Throttling
TLS and SSH connection too eager reuse	7.16.1	7.83.0	CVE-2022-27782	CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop	7.34.0	7.83.0	CVE-2022-27781	CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Auth/cookie leak on redirect	4.9	7.82.0	CVE-2022-27776	CWE-522: Insufficiently Protected Credentials
Credential leak on redirect	4.9	7.82.0	CVE-2022-27774	CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use	7.33.0	7.82.0	CVE-2022-22576	CWE-305: Authentication Bypass by Primary Weakness
STARTTLS protocol injection via MITM	7.20.0	7.78.0	CVE-2021-22947	CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed	7.20.0	7.78.0	CVE-2021-22946	CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport	7.33.0	7.77.0	CVE-2021-22926	CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again	7.7	7.77.0	CVE-2021-22925	CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks	7.10.4	7.77.0	CVE-2021-22924	CWE-295: Improper Certificate Validation
Metalink download sends credentials	7.27.0	7.77.0	CVE-2021-22923	CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded	7.27.0	7.77.0	CVE-2021-22922	CWE-20: Improper Input Validation
TELNET stack contents disclosure	7.7	7.76.1	CVE-2021-22898	CWE-457: Use of Uninitialized Variable
schannel cipher selection surprise	7.61.0	7.76.1	CVE-2021-22897	CWE-488: Exposure of Data Element to Wrong Session
Automatic referer leaks credentials	7.1.1	7.75.0	CVE-2021-22876	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification	7.41.0	7.73.0	CVE-2020-8286	CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow	7.21.0	7.73.0	CVE-2020-8285	CWE-674: Uncontrolled Recursion
trusting FTP PASV responses	4.0	7.73.0	CVE-2020-8284	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
wrong connect-only connection	7.29.0	7.71.1	CVE-2020-8231	CWE-825: Expired Pointer Dereference
curl overwrite local file with -J	7.20.0	7.70.0	CVE-2020-8177	CWE-641: Improper Restriction of Names for Files and Other Resources
FTP-KRB double-free	7.52.0	7.65.3	CVE-2019-5481	CWE-415: Double Free
TFTP small blocksize heap buffer overflow	7.19.4	7.65.3	CVE-2019-5482	CWE-122: Heap-based Buffer Overflow
Windows OpenSSL engine code injection	7.61.0	7.65.1	CVE-2019-5443	CWE-94: Code Injection
TFTP receive buffer overflow	7.19.4	7.64.1	CVE-2019-5436	CWE-122: Heap-based Buffer Overflow
NTLM type-2 out-of-bounds buffer read	7.36.0	7.63.0	CVE-2018-16890	CWE-125: Out-of-bounds Read
NTLMv2 type-3 header stack buffer overflow	7.36.0	7.63.0	CVE-2019-3822	CWE-121: Stack-based Buffer Overflow
SMTP end-of-response out-of-bounds read	7.34.0	7.63.0	CVE-2019-3823	CWE-125: Out-of-bounds Read
warning message out-of-buffer read	7.14.1	7.61.1	CVE-2018-16842	CWE-125: Out-of-bounds Read
use-after-free in handle close	7.59.0	7.61.1	CVE-2018-16840	CWE-416: Use After Free
SASL password overflow via integer overflow	7.33.0	7.61.1	CVE-2018-16839	CWE-131: Incorrect Calculation of Buffer Size
NTLM password overflow via integer overflow	7.15.4	7.61.0	CVE-2018-14618	CWE-131: Incorrect Calculation of Buffer Size

Changelog for curl 7.61.0

See vulnerability summary for the previous release: 7.60.0 or the subsequent release: 7.61.1