CVE-2019-3823

Name
CVE-2019-3823
Description
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://curl.haxx.se/docs/CVE-2019-3823.html
Exploit https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823
Third Party Advisory https://www.debian.org/security/2019/dsa-4386
Third Party Advisory https://usn.ubuntu.com/3882-1/
Third Party Advisory http://www.securityfocus.com/bid/106950
Third Party Advisory https://security.gentoo.org/glsa/201903-03
Exploit https://security.netapp.com/advisory/ntap-20190315-0001/
Mailing List https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E
Patch https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
REDHAT https://access.redhat.com/errata/RHSA-2019:3701
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* libcurl >= 7.34.0 < 7.64.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status