CVE-2018-1000300

CVE-2018-1000300

Name

CVE-2018-1000300

Description

curl version curl 7.54.1 to and including curl 7.59.0 contains a CWE-122: Heap-based Buffer Overflow vulnerability in denial of service and more that can result in curl might overflow a heap based memory buffer when closing down an FTP connection with very long server command replies.. This vulnerability appears to have been fixed in curl < 7.54.1 and curl >= 7.60.0.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Patch	https://curl.haxx.se/docs/adv_2018-82c2.html
Third Party Advisory	https://usn.ubuntu.com/3648-1/
Third Party Advisory	http://www.securitytracker.com/id/1040933
Third Party Advisory	http://www.securityfocus.com/bid/104207
Patch	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Third Party Advisory	https://security.gentoo.org/glsa/201806-05
Patch	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Type

URI

Patch

https://curl.haxx.se/docs/adv_2018-82c2.html

Third Party Advisory

https://usn.ubuntu.com/3648-1/

Third Party Advisory

http://www.securitytracker.com/id/1040933

Third Party Advisory

http://www.securityfocus.com/bid/104207

Patch

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Third Party Advisory

https://security.gentoo.org/glsa/201806-05

Patch

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:haxx:curl::::::::`	curl	>= 7.54.1	<= 7.59.0

CPE URI

Source package

Min version

Max version

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

curl

>= 7.54.1

<= 7.59.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
curl	edge-main	7.60.0-r0	None	fixed
curl	edge-main	7.59.0-r0	None	possibly vulnerable
curl	edge-main	7.57.0-r0	None	possibly vulnerable
curl	edge-main	7.56.1-r0	None	possibly vulnerable
curl	edge-main	7.55.0-r0	None	possibly vulnerable
curl	3.22-main	7.60.0-r0	None	fixed
curl	3.22-main	7.59.0-r0	None	possibly vulnerable
curl	3.22-main	7.57.0-r0	None	possibly vulnerable
curl	3.22-main	7.56.1-r0	None	possibly vulnerable
curl	3.22-main	7.55.0-r0	None	possibly vulnerable
curl	3.21-main	7.60.0-r0	None	fixed
curl	3.21-main	7.59.0-r0	None	possibly vulnerable
curl	3.21-main	7.57.0-r0	None	possibly vulnerable
curl	3.21-main	7.56.1-r0	None	possibly vulnerable
curl	3.21-main	7.55.0-r0	None	possibly vulnerable
curl	3.20-main	7.60.0-r0	None	fixed
curl	3.20-main	7.59.0-r0	None	possibly vulnerable
curl	3.20-main	7.57.0-r0	None	possibly vulnerable
curl	3.20-main	7.56.1-r0	None	possibly vulnerable
curl	3.20-main	7.55.0-r0	None	possibly vulnerable
curl	3.19-main	7.60.0-r0	None	fixed
curl	3.19-main	7.59.0-r0	None	possibly vulnerable
curl	3.19-main	7.57.0-r0	None	possibly vulnerable
curl	3.19-main	7.56.1-r0	None	possibly vulnerable
curl	3.19-main	7.55.0-r0	None	possibly vulnerable
curl	3.18-main	7.60.0-r0	None	fixed
curl	3.17-main	7.60.0-r0	None	fixed
curl	3.12-main	7.60.0-r0	None	fixed
curl	3.11-main	7.60.0-r0	None	fixed
curl	3.10-main	7.60.0-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages