CVE-2018-1000005

2018-01-2422:29:00

Google

osv.dev

9.3 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

79.6%

JSON

libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in code handling HTTP/2 trailers. It was reported (https://github.com/curl/curl/pull/2231) that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like : to the target buffer, while this was recently changed to : (a space was added after the colon) but the following math wasn’t updated correspondingly. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to client write. This could lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.

CPENameOperatorVersion
curleq7.28.0-r0
curleq7.21.1-r0
curleq7.47.0-r0
curleq7.28.1-r0
curleq7.31.0-r0
curleq7.44.0-r0
curleq7.55.1-r0
curleq7.40.0-r0
curleqcurl-7_54_1
curleq7.20.1-r0

Name	Operator	Version
curl	eq	7.28.0-r0
curl	eq	7.21.1-r0
curl	eq	7.47.0-r0
curl	eq	7.28.1-r0
curl	eq	7.31.0-r0
curl	eq	7.44.0-r0
curl	eq	7.55.1-r0
curl	eq	7.40.0-r0
curl	eq	curl-7_54_1
curl	eq	7.20.1-r0