curl / Docs / Vulnerability table / 7.75.0 vulnerabilities

Vulnerabilities in curl 7.75.0

curl version 7.75.0 was released on February 3 2021. The following 32 security problems are known to exist in this version.

Flaw	From version	To and including	CVE	CWE
SSH connection too eager reuse still	7.16.1	7.88.1	CVE-2023-27538	CWE-305: Authentication Bypass by Primary Weakness
GSS delegation too eager connection re-use	7.22.0	7.88.1	CVE-2023-27536	CWE-305: Authentication Bypass by Primary Weakness
FTP too eager connection reuse	7.13.0	7.88.1	CVE-2023-27535	CWE-305: Authentication Bypass by Primary Weakness
SFTP path ~ resolving discrepancy	7.18.0	7.88.1	CVE-2023-27534	CWE-22: Improper Limitation of a Pathname to a Restricted Directory
TELNET option IAC injection	7.7	7.88.1	CVE-2023-27533	CWE-75: Failure to Sanitize Special Elements into a Different Plane
HTTP multi-header compression denial of service	7.57.0	7.87.0	CVE-2023-23916	CWE-770: Allocation of Resources Without Limits or Throttling
HTTP Proxy deny use-after-free	7.16.0	7.86.0	CVE-2022-43552	CWE-416: Use After Free
POST following PUT confusion	7.7	7.85.0	CVE-2022-32221	CWE-440: Expected Behavior Violation
control code in cookie denial of service	4.9	7.84.0	CVE-2022-35252	CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification	7.16.4	7.83.1	CVE-2022-32208	CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Unpreserved file permissions	7.69.0	7.83.1	CVE-2022-32207	CWE-281: Improper Preservation of Permissions
HTTP compression denial of service	7.57.0	7.83.1	CVE-2022-32206	CWE-770: Allocation of Resources Without Limits or Throttling
Set-Cookie denial of service	7.71.0	7.83.1	CVE-2022-32205	CWE-770: Allocation of Resources Without Limits or Throttling
TLS and SSH connection too eager reuse	7.16.1	7.83.0	CVE-2022-27782	CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop	7.34.0	7.83.0	CVE-2022-27781	CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Auth/cookie leak on redirect	4.9	7.82.0	CVE-2022-27776	CWE-522: Insufficiently Protected Credentials
Bad local IPv6 connection reuse	7.65.0	7.82.0	CVE-2022-27775	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Credential leak on redirect	4.9	7.82.0	CVE-2022-27774	CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use	7.33.0	7.82.0	CVE-2022-22576	CWE-305: Authentication Bypass by Primary Weakness
STARTTLS protocol injection via MITM	7.20.0	7.78.0	CVE-2021-22947	CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
Protocol downgrade required TLS bypassed	7.20.0	7.78.0	CVE-2021-22946	CWE-325: Missing Cryptographic Step
UAF and double-free in MQTT sending	7.73.0	7.78.0	CVE-2021-22945	CWE-415: Double Free
CURLOPT_SSLCERT mixup with Secure Transport	7.33.0	7.77.0	CVE-2021-22926	CWE-295: Improper Certificate Validation
TELNET stack contents disclosure again	7.7	7.77.0	CVE-2021-22925	CWE-457: Use of Uninitialized Variable
Bad connection reuse due to flawed path name checks	7.10.4	7.77.0	CVE-2021-22924	CWE-295: Improper Certificate Validation
Metalink download sends credentials	7.27.0	7.77.0	CVE-2021-22923	CWE-522: Insufficiently Protected Credentials
Wrong content via metalink not discarded	7.27.0	7.77.0	CVE-2021-22922	CWE-20: Improper Input Validation
TLS session caching disaster	7.75.0	7.76.1	CVE-2021-22901	CWE-416: Use After Free
TELNET stack contents disclosure	7.7	7.76.1	CVE-2021-22898	CWE-457: Use of Uninitialized Variable
schannel cipher selection surprise	7.61.0	7.76.1	CVE-2021-22897	CWE-488: Exposure of Data Element to Wrong Session
TLS 1.3 session ticket proxy host mixup	7.63.0	7.75.0	CVE-2021-22890	CWE-290: Authentication Bypass by Spoofing
Automatic referer leaks credentials	7.1.1	7.75.0	CVE-2021-22876	CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Changelog for curl 7.75.0

See vulnerability summary for the previous release: 7.74.0 or the subsequent release: 7.76.0