curl / Docs / Vulnerability table / 7.72.0 vulnerabilities

Vulnerabilities in curl 7.72.0

curl version 7.72.0 was released on August 19 2020. The following 33 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
SSH connection too eager reuse still7.16.17.88.1CVE-2023-27538CWE-305: Authentication Bypass by Primary Weakness
GSS delegation too eager connection re-use7.22.07.88.1CVE-2023-27536CWE-305: Authentication Bypass by Primary Weakness
FTP too eager connection reuse7.13.07.88.1CVE-2023-27535CWE-305: Authentication Bypass by Primary Weakness
SFTP path ~ resolving discrepancy7.18.07.88.1CVE-2023-27534CWE-22: Improper Limitation of a Pathname to a Restricted Directory
TELNET option IAC injection7.77.88.1CVE-2023-27533CWE-75: Failure to Sanitize Special Elements into a Different Plane
HTTP multi-header compression denial of service7.57.07.87.0CVE-2023-23916CWE-770: Allocation of Resources Without Limits or Throttling
HTTP Proxy deny use-after-free7.16.07.86.0CVE-2022-43552CWE-416: Use After Free
POST following PUT confusion7.77.85.0CVE-2022-32221CWE-440: Expected Behavior Violation
control code in cookie denial of service4.97.84.0CVE-2022-35252CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification7.16.47.83.1CVE-2022-32208CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Unpreserved file permissions7.69.07.83.1CVE-2022-32207CWE-281: Improper Preservation of Permissions
HTTP compression denial of service7.57.07.83.1CVE-2022-32206CWE-770: Allocation of Resources Without Limits or Throttling
Set-Cookie denial of service7.71.07.83.1CVE-2022-32205CWE-770: Allocation of Resources Without Limits or Throttling
TLS and SSH connection too eager reuse7.16.17.83.0CVE-2022-27782CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop7.34.07.83.0CVE-2022-27781CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Auth/cookie leak on redirect4.97.82.0CVE-2022-27776CWE-522: Insufficiently Protected Credentials
Bad local IPv6 connection reuse7.65.07.82.0CVE-2022-27775CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Credential leak on redirect4.97.82.0CVE-2022-27774CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use7.33.07.82.0CVE-2022-22576CWE-305: Authentication Bypass by Primary Weakness
STARTTLS protocol injection via MITM7.20.07.78.0CVE-2021-22947CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed7.20.07.78.0CVE-2021-22946CWE-325: Missing Cryptographic Step
CURLOPT_SSLCERT mixup with Secure Transport7.33.07.77.0CVE-2021-22926CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again7.77.77.0CVE-2021-22925CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks7.10.47.77.0CVE-2021-22924CWE-295: Improper Certificate Validation
Metalink download sends credentials7.27.07.77.0CVE-2021-22923CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded7.27.07.77.0CVE-2021-22922CWE-20: Improper Input Validation
TELNET stack contents disclosure7.77.76.1CVE-2021-22898CWE-457: Use of Uninitialized Variable
schannel cipher selection surprise7.61.07.76.1CVE-2021-22897CWE-488: Exposure of Data Element to Wrong Session
TLS 1.3 session ticket proxy host mixup7.63.07.75.0CVE-2021-22890CWE-290: Authentication Bypass by Spoofing
Automatic referer leaks credentials7.1.17.75.0CVE-2021-22876CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
Inferior OCSP verification7.41.07.73.0CVE-2020-8286CWE-299: Improper Check for Certificate Revocation
FTP wildcard stack overflow7.21.07.73.0CVE-2020-8285CWE-674: Uncontrolled Recursion
trusting FTP PASV responses4.07.73.0CVE-2020-8284CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Changelog for curl 7.72.0

See vulnerability summary for the previous release: 7.71.1 or the subsequent release: 7.73.0