Docs Overview
Project
Bug Bounty Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Logo TODO Web Site Info
Protocols
alt-svc CA Extract HSTS HTTP cookies HTTP/2 HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog Release Table Security Problems Version Nums Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / Vulnerability table / 7.69.0 vulnerabilities

Vulnerabilities in curl 7.69.0

Related:
Bug Bounty
Changelog
Donate
FAQ
Security Problems
Security Process
Vulnerabilities Table

curl version 7.69.0 was released on March 4 2020. The following 35 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
SSH connection too eager reuse still7.16.17.88.1CVE-2023-27538CWE-305: Authentication Bypass by Primary Weakness
GSS delegation too eager connection re-use7.22.07.88.1CVE-2023-27536CWE-305: Authentication Bypass by Primary Weakness
FTP too eager connection reuse7.13.07.88.1CVE-2023-27535CWE-305: Authentication Bypass by Primary Weakness
SFTP path ~ resolving discrepancy7.18.07.88.1CVE-2023-27534CWE-22: Improper Limitation of a Pathname to a Restricted Directory
TELNET option IAC injection7.77.88.1CVE-2023-27533CWE-75: Failure to Sanitize Special Elements into a Different Plane
HTTP multi-header compression denial of service7.57.07.87.0CVE-2023-23916CWE-770: Allocation of Resources Without Limits or Throttling
HTTP Proxy deny use-after-free7.16.07.86.0CVE-2022-43552CWE-416: Use After Free
POST following PUT confusion7.77.85.0CVE-2022-32221CWE-440: Expected Behavior Violation
control code in cookie denial of service4.97.84.0CVE-2022-35252CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification7.16.47.83.1CVE-2022-32208CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Unpreserved file permissions7.69.07.83.1CVE-2022-32207CWE-281: Improper Preservation of Permissions
HTTP compression denial of service7.57.07.83.1CVE-2022-32206CWE-770: Allocation of Resources Without Limits or Throttling
TLS and SSH connection too eager reuse7.16.17.83.0CVE-2022-27782CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop7.34.07.83.0CVE-2022-27781CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Auth/cookie leak on redirect4.97.82.0CVE-2022-27776CWE-522: Insufficiently Protected Credentials
Bad local IPv6 connection reuse7.65.07.82.0CVE-2022-27775CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Credential leak on redirect4.97.82.0CVE-2022-27774CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use7.33.07.82.0CVE-2022-22576CWE-305: Authentication Bypass by Primary Weakness
STARTTLS protocol injection via MITM7.20.07.78.0CVE-2021-22947CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed7.20.07.78.0CVE-2021-22946CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport7.33.07.77.0CVE-2021-22926CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again7.77.77.0CVE-2021-22925CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks7.10.47.77.0CVE-2021-22924CWE-295: Improper Certificate Validation
Metalink download sends credentials7.27.07.77.0CVE-2021-22923CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded7.27.07.77.0CVE-2021-22922CWE-20: Improper Input Validation
TELNET stack contents disclosure7.77.76.1CVE-2021-22898CWE-457: Use of Uninitialized Variable
schannel cipher selection surprise7.61.07.76.1CVE-2021-22897CWE-488: Exposure of Data Element to Wrong Session
TLS 1.3 session ticket proxy host mixup7.63.07.75.0CVE-2021-22890CWE-290: Authentication Bypass by Spoofing
Automatic referer leaks credentials7.1.17.75.0CVE-2021-22876CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification7.41.07.73.0CVE-2020-8286CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow7.21.07.73.0CVE-2020-8285CWE-674: Uncontrolled Recursion
trusting FTP PASV responses4.07.73.0CVE-2020-8284CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
wrong connect-only connection7.29.07.71.1CVE-2020-8231CWE-825: Expired Pointer Dereference
curl overwrite local file with -J7.20.07.70.0CVE-2020-8177CWE-641: Improper Restriction of Names for Files and Other Resources
Partial password leak over DNS on HTTP redirect7.62.07.70.0CVE-2020-8169CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Changelog for curl 7.69.0

See vulnerability summary for the previous release: 7.68.0 or the subsequent release: 7.69.1