curl / Docs / Vulnerability table / 7.81.0 vulnerabilities

Vulnerabilities in curl 7.81.0

curl version 7.81.0 was released on January 5 2022. The following 25 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
SSH connection too eager reuse still7.16.17.88.1CVE-2023-27538CWE-305: Authentication Bypass by Primary Weakness
GSS delegation too eager connection re-use7.22.07.88.1CVE-2023-27536CWE-305: Authentication Bypass by Primary Weakness
FTP too eager connection reuse7.13.07.88.1CVE-2023-27535CWE-305: Authentication Bypass by Primary Weakness
SFTP path ~ resolving discrepancy7.18.07.88.1CVE-2023-27534CWE-22: Improper Limitation of a Pathname to a Restricted Directory
TELNET option IAC injection7.77.88.1CVE-2023-27533CWE-75: Failure to Sanitize Special Elements into a Different Plane
HTTP multi-header compression denial of service7.57.07.87.0CVE-2023-23916CWE-770: Allocation of Resources Without Limits or Throttling
HSTS amnesia with --parallel7.77.07.87.0CVE-2023-23915CWE-319: Cleartext Transmission of Sensitive Information
HSTS ignored on multiple requests7.77.07.87.0CVE-2023-23914CWE-319: Cleartext Transmission of Sensitive Information
HTTP Proxy deny use-after-free7.16.07.86.0CVE-2022-43552CWE-416: Use After Free
Another HSTS bypass via IDN7.77.07.86.0CVE-2022-43551CWE-319: Cleartext Transmission of Sensitive Information
HSTS bypass via IDN7.77.07.85.0CVE-2022-42916CWE-319: Cleartext Transmission of Sensitive Information
HTTP proxy double-free7.77.07.85.0CVE-2022-42915CWE-415: Double Free
POST following PUT confusion7.77.85.0CVE-2022-32221CWE-440: Expected Behavior Violation
control code in cookie denial of service4.97.84.0CVE-2022-35252CWE-1286: Improper Validation of Syntactic Correctness of Input
FTP-KRB bad message verification7.16.47.83.1CVE-2022-32208CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
Unpreserved file permissions7.69.07.83.1CVE-2022-32207CWE-281: Improper Preservation of Permissions
HTTP compression denial of service7.57.07.83.1CVE-2022-32206CWE-770: Allocation of Resources Without Limits or Throttling
Set-Cookie denial of service7.71.07.83.1CVE-2022-32205CWE-770: Allocation of Resources Without Limits or Throttling
TLS and SSH connection too eager reuse7.16.17.83.0CVE-2022-27782CWE-305: Authentication Bypass by Primary Weakness
CERTINFO never-ending busy-loop7.34.07.83.0CVE-2022-27781CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
percent-encoded path separator in URL host7.80.07.83.0CVE-2022-27780CWE-177: Improper Handling of URL Encoding
Auth/cookie leak on redirect4.97.82.0CVE-2022-27776CWE-522: Insufficiently Protected Credentials
Bad local IPv6 connection reuse7.65.07.82.0CVE-2022-27775CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Credential leak on redirect4.97.82.0CVE-2022-27774CWE-522: Insufficiently Protected Credentials
OAUTH2 bearer bypass in connection re-use7.33.07.82.0CVE-2022-22576CWE-305: Authentication Bypass by Primary Weakness

Changelog for curl 7.81.0

See vulnerability summary for the previous release: 7.80.0 or the subsequent release: 7.82.0