curl / Docs / Vulnerability table / 7.65.1 vulnerabilities

Vulnerabilities in curl 7.65.1

curl version 7.65.1 was released on June 5 2019. The following 31 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
HTTP Proxy deny use-after-free	7.16.0	7.86.0	CVE-2022-43552	CWE-416: Use After Free
POST following PUT confusion	7.7	7.85.0	CVE-2022-32221	CWE-440: Expected Behavior Violation
control code in cookie denial of service	4.9	7.84.0	CVE-2022-35252	CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification	7.16.4	7.83.1	CVE-2022-32208	CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
HTTP compression denial of service	7.57.0	7.83.1	CVE-2022-32206	CWE-770: Allocation of Resources Without Limits or Throttling
TLS and SSH connection too eager reuse	7.16.1	7.83.0	CVE-2022-27782	CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop	7.34.0	7.83.0	CVE-2022-27781	CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Auth/cookie leak on redirect	4.9	7.82.0	CVE-2022-27776	CWE-522: Insufficiently Protected Credentials
Bad local IPv6 connection reuse	7.65.0	7.82.0	CVE-2022-27775	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Credential leak on redirect	4.9	7.82.0	CVE-2022-27774	CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use	7.33.0	7.82.0	CVE-2022-22576	CWE-305: Authentication Bypass by Primary Weakness
STARTTLS protocol injection via MITM	7.20.0	7.78.0	CVE-2021-22947	CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed	7.20.0	7.78.0	CVE-2021-22946	CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport	7.33.0	7.77.0	CVE-2021-22926	CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again	7.7	7.77.0	CVE-2021-22925	CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks	7.10.4	7.77.0	CVE-2021-22924	CWE-295: Improper Certificate Validation
Metalink download sends credentials	7.27.0	7.77.0	CVE-2021-22923	CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded	7.27.0	7.77.0	CVE-2021-22922	CWE-20: Improper Input Validation
TELNET stack contents disclosure	7.7	7.76.1	CVE-2021-22898	CWE-457: Use of Uninitialized Variable
schannel cipher selection surprise	7.61.0	7.76.1	CVE-2021-22897	CWE-488: Exposure of Data Element to Wrong Session
TLS 1.3 session ticket proxy host mixup	7.63.0	7.75.0	CVE-2021-22890	CWE-290: Authentication Bypass by Spoofing
Automatic referer leaks credentials	7.1.1	7.75.0	CVE-2021-22876	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification	7.41.0	7.73.0	CVE-2020-8286	CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow	7.21.0	7.73.0	CVE-2020-8285	CWE-674: Uncontrolled Recursion
trusting FTP PASV responses	4.0	7.73.0	CVE-2020-8284	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
wrong connect-only connection	7.29.0	7.71.1	CVE-2020-8231	CWE-825: Expired Pointer Dereference
curl overwrite local file with -J	7.20.0	7.70.0	CVE-2020-8177	CWE-641: Improper Restriction of Names for Files and Other Resources
Partial password leak over DNS on HTTP redirect	7.62.0	7.70.0	CVE-2020-8169	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
FTP-KRB double-free	7.52.0	7.65.3	CVE-2019-5481	CWE-415: Double Free
TFTP small blocksize heap buffer overflow	7.19.4	7.65.3	CVE-2019-5482	CWE-122: Heap-based Buffer Overflow
Windows OpenSSL engine code injection	7.61.0	7.65.1	CVE-2019-5443	CWE-94: Code Injection

Changelog for curl 7.65.1

See vulnerability summary for the previous release: 7.65.0 or the subsequent release: 7.65.2