curl / Docs / Vulnerability table / 7.84.0 vulnerabilities

Vulnerabilities in curl 7.84.0

curl version 7.84.0 was released on June 27 2022. The following 15 security problems are known to exist in this version.

FlawFrom versionTo and includingCVECWE
SSH connection too eager reuse still7.16.17.88.1CVE-2023-27538CWE-305: Authentication Bypass by Primary Weakness
GSS delegation too eager connection re-use7.22.07.88.1CVE-2023-27536CWE-305: Authentication Bypass by Primary Weakness
FTP too eager connection reuse7.13.07.88.1CVE-2023-27535CWE-305: Authentication Bypass by Primary Weakness
SFTP path ~ resolving discrepancy7.18.07.88.1CVE-2023-27534CWE-22: Improper Limitation of a Pathname to a Restricted Directory
TELNET option IAC injection7.77.88.1CVE-2023-27533CWE-75: Failure to Sanitize Special Elements into a Different Plane
HTTP multi-header compression denial of service7.57.07.87.0CVE-2023-23916CWE-770: Allocation of Resources Without Limits or Throttling
HSTS amnesia with --parallel7.77.07.87.0CVE-2023-23915CWE-319: Cleartext Transmission of Sensitive Information
HSTS ignored on multiple requests7.77.07.87.0CVE-2023-23914CWE-319: Cleartext Transmission of Sensitive Information
HTTP Proxy deny use-after-free7.16.07.86.0CVE-2022-43552CWE-416: Use After Free
Another HSTS bypass via IDN7.77.07.86.0CVE-2022-43551CWE-319: Cleartext Transmission of Sensitive Information
HSTS bypass via IDN7.77.07.85.0CVE-2022-42916CWE-319: Cleartext Transmission of Sensitive Information
HTTP proxy double-free7.77.07.85.0CVE-2022-42915CWE-415: Double Free
.netrc parser out-of-bounds access7.84.07.85.0CVE-2022-35260CWE-121: Stack-based Buffer Overflow
POST following PUT confusion7.77.85.0CVE-2022-32221CWE-440: Expected Behavior Violation
control code in cookie denial of service4.97.84.0CVE-2022-35252CWE-1286: Improper Validation of Syntactic Correctness of Input

Changelog for curl 7.84.0

See vulnerability summary for the previous release: 7.83.1 or the subsequent release: 7.85.0