curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and “telnet options” for the server negotiation.

Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.

Hackerone report

#1891474

Impact

Attacker being able to specify TTYPE, XDISPLOC or NEW_ENV values is able to inject unintended TELNET commands to the telnet connection. Depending on the use case of the telnet protocol, this may allow the attacker to inject arbitrary controlling operations, or arbitrary input as if entered by the user manually.

veracode 1

alpinelinux 1

ibm 14

cvelist 1

osv 6

hackerone 1

cbl_mariner 5

nvd 1

prion 1

debiancve 1

cve 1

redhatcve 1