CVE-2019-3823

2019-02-0620:00:00

CWE-125

redhat

www.cve.org

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AI Score

8.6

Confidence

High

EPSS

0.004

Percentile

72.6%

JSON

libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to smtp_endofresp() isn’t NUL terminated and contains no character ending the parsed number, and len is set to 5, then the strtol() call reads beyond the allocated buffer. The read contents will not be returned to the caller.

CNA Affected

[
  {
    "product": "curl",
    "vendor": "The curl Project",
    "versions": [
      {
        "status": "affected",
        "version": "7.64.0"
      }
    ]
  }
]