3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
5.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.3%
When a protocol selection parameter option disables all protocols without
adding any then the default set of protocols would remain in the allowed
set due to an error in the logic for removing protocols. The below command
would perform a request to curl.se with a plaintext protocol which has been
explicitly disabled. curl --proto -all,-http http://curl.se The flaw is
only present if the set of selected protocols disables the entire set of
available protocols, in itself a command with no practical use and
therefore unlikely to be encountered in real situations. The curl security
team has thus assessed this to be low severity bug.
Author | Note |
---|---|
Priority reason: Upstream developers consider this a low severity issue | |
mdeslaur | affects curl 7.85.0 to and including 8.6.0 |
3.5 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
5.2 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.3%