2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
56.8%
When curl is instructed to get content using the metalink feature, and a
user name and password are used to download the metalink XML file, those
same credentials are then subsequently passed on to each of the servers
from which curl will download or try to download the contents from. Often
contrary to the userโs expectations and intentions and without telling the
user it happened.
Author | Note |
---|---|
mdeslaur | introduced in 7.27.0 per upstream โcurl has completely removed the metalink feature as of 7.78.0. No fix for this flaw will be produced by the curl project. The fix for earlier versions is to rebuild curl with the metalink support switched off!โ Ubuntu builds curl with metalink support switched off already. |
2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
56.8%