curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).

An update of the cmake package has been released.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2472 advisory.

    This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss     Core Services offering.

    This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service     Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901)

    * httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)

    * libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)

    * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)

    * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used     (CVE-2020-8285)

    * curl: Inferior OCSP verification (CVE-2020-8286)

    * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)

    * curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple vulnerabilities were discovered in cURL, an URL transfer library :

  - CVE-2020-8169     Marek Szlagor reported that libcurl could be tricked     into prepending a part of the password to the host name     before it resolves it, potentially leaking the partial     password over the network and to the DNS server(s).

  - CVE-2020-8177     sn reported that curl could be tricked by a malicious     server into overwriting a local file when using the -J     (--remote-header-name) and -i (--include) options in the     same command line.

  - CVE-2020-8231     Marc Aldorasi reported that libcurl might use the wrong     connection when an application using libcurl's multi API     sets the option CURLOPT_CONNECT_ONLY, which could lead     to information leaks.

  - CVE-2020-8284     Varnavas Papaioannou reported that a malicious server     could use the PASV response to trick curl into     connecting back to an arbitrary IP address and port,     potentially making curl extract information about     services that are otherwise private and not disclosed.

  - CVE-2020-8285     xnynx reported that libcurl could run out of stack space     when using the FTP wildcard matching functionality     (CURLOPT_CHUNK_BGN_FUNCTION).

  - CVE-2020-8286     It was reported that libcurl didn't verify that an OCSP     response actually matches the certificate it is intended     to.

  - CVE-2021-22876     Viktor Szakats reported that libcurl does not strip off     user credentials from the URL when automatically     populating the Referer HTTP request header field in     outgoing HTTP requests.

  - CVE-2021-22890     Mingtao Yang reported that, when using an HTTPS proxy     and TLS 1.3, libcurl could confuse session tickets     arriving from the HTTPS proxy as if they arrived from     the remote server instead. This could allow an HTTPS     proxy to trick libcurl into using the wrong session     ticket for the host and thereby circumvent the server     TLS certificate check.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Vulnerability Summary for CVE-2020-8169(CVE-2020-8169)

  - Vulnerability Summary for CVE-2020-8177(CVE-2020-8177)

  - Expired pointer dereference via multi API with     `CURLOPT_CONNECT_ONLY` option set(CVE-2020-8231)

  - curl 7.21.0 to and including 7.73.0 is vulnerable to     uncontrolled recursion due to a stack overflow issue in     FTP wildcard match parsing.(CVE-2020-8285)

  - curl 7.41.0 through 7.73.0 is vulnerable to an improper     check for certificate revocation due to insufficient     verification of the OCSP response.(CVE-2020-8286)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the version of PHP running on the remote Windows web server is 7.2.x prior to 7.2.32, 7.3.x prior to 7.3.20 or 7.4.x prior to 7.4.8. It is, therefore, affected by an information disclosure vulnerability. The libcurl library can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Major update includes security fixes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202007-16 (cURL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in cURL. Please review the       CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

This update for curl fixes the following issues :

  - CVE-2020-8177: Fixed an issue where curl could have been     tricked by a malicious server to overwrite a local file     when using the -J option (bsc#1173027).&#9; 

  - CVE-2020-8169: Fixed an issue where could have led to     partial password leak over DNS on HTTP redirect     (bsc#1173026).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

According to its self-reported version number, the version of PHP running on the remote Windows web server is 7.2.x prior to 7.2.32, 7.3.x prior to 7.3.20 or 7.4.x prior to 7.4.8. It is, therefore, affected by an information disclosure vulnerability. The libcurl library can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

- avoid overwriting a local file with -J (CVE-2020-8177)

  - fix partial password leak over DNS on HTTP redirect     (CVE-2020-8169)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for curl fixes the following issues :

CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027).

CVE-2020-8169: Fixed an issue where could have led to partial password leak over DNS on HTTP redirect (bsc#1173026).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4402-1 advisory.

    Marek Szlagor, Gregory Jefferis and Jeroen Ooms discovered that curl incorrectly handled certain     credentials. An attacker could possibly use this issue to expose sensitive information. This issue only     affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-8169)

    It was discovered that curl incorrectly handled certain parameters. An attacker could possibly use this     issue to overwrite a local file. (CVE-2020-8177)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

New curl packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

curl security problems :

CVE-2020-8169: Partial password leak over DNS on HTTP redirect

libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).

libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded.

In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format : http://user:password@host/path.
In this case, the name and password are URL encoded as that's how they appear in URLs.

If the options are set, they override the credentials set in the URL.

Internally, this is handled by storing the credentials in the 'URL object' so that there is only a single set of credentials stored associated with this single URL.

When libcurl handles a relative redirect (as opposed to an absolute URL redirect) for an HTTP transfer, the server is only sending a new path to the client and that path is applied on to the existing URL.
That 'applying' of the relative path on top of an absolute URL is done by libcurl first generating a full absolute URL out of all the components it has, then it applies the redirect and finally it deconstructs the URL again into its separate components.

This security vulnerability originates in the fact that curl did not correctly URL encode the credential data when set using one of the curl_easy_setopt options described above. This made curl generate a badly formatted full URL when it would do a redirect and the final re-parsing of the URL would then go bad and wrongly consider a part of the password field to belong to the host name.

The wrong host name would then be used in a name resolve lookup, potentially leaking the host name + partial password in clear text over the network (if plain DNS was used) and in particular to the used DNS server(s).

CVE-2020-8177: curl overwrite local file with -J

curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.

The command line tool offers the -J option that saves a remote file using the file name present in the Content-Disposition : response header. curl then refuses to overwrite an existing local file using the same name, if one already exists in the current directory.

The -J flag is designed to save a response body, and so it doesn't work together with -i and there's logic that forbids it. However, the check is flawed and doesn't properly check for when the options are used in the reversed order: first using -J and then -i were mistakenly accepted.

The result of this mistake was that incoming HTTP headers could overwrite a local file if one existed, as the check to avoid the local file was done first when body data was received, and due to the mistake mentioned above, it could already have received and saved headers by that time.

The saved file would only get response headers added to it, as it would abort the saving when the first body byte arrives. A malicious server could however still be made to send back virtually anything as headers and curl would save them like this, until the first CRLF-CRLF sequence appears.

(Also note that -J needs to be used in combination with -O to have any effect.)

ID	Name	Product	Family	Severity
203839	Photon OS 3.0: Cmake PHSA-2023-3.0-0603	Nessus	PhotonOS Local Security Checks	critical
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194927	Universal Forwarders < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0614)	Nessus	CGI abuses	critical
194926	Universal Forwarder 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0809)	Nessus	CGI abuses	critical
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
150852	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 (RHSA-2021:2472)	Nessus	Red Hat Local Security Checks	high
148277	Debian DSA-4881-1 : curl - security update	Nessus	Debian Local Security Checks	high
147470	EulerOS Virtualization 2.9.1 : curl (EulerOS-SA-2021-1596)	Nessus	Huawei Local Security Checks	high
112612	PHP 7.2.x < 7.2.32 Information Disclosure	Web App Scanning	Component Vulnerability	high
112611	PHP 7.3.x < 7.3.20 Information Disclosure	Web App Scanning	Component Vulnerability	high
112610	PHP 7.4.x < 7.4.8 Information Disclosure	Web App Scanning	Component Vulnerability	high
139346	Fedora 32 : mingw-curl (2020-ad05132742)	Nessus	Fedora Local Security Checks	high
138939	GLSA-202007-16 : cURL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
138708	openSUSE Security Update : curl (openSUSE-2020-883)	Nessus	SuSE Local Security Checks	high
138593	PHP 7.2.x < 7.2.32 / 7.3.x < 7.3.20 / 7.4.x < 7.4.8 Information Disclosure	Nessus	CGI abuses	high
138366	Fedora 31 : curl (2020-55f1f7cb13)	Nessus	Fedora Local Security Checks	high
138291	SUSE SLED15 / SLES15 Security Update : curl (SUSE-SU-2020:1733-1)	Nessus	SuSE Local Security Checks	high
137866	Fedora 32 : curl (2020-6af1dd2936)	Nessus	Fedora Local Security Checks	high
137824	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : curl vulnerabilities (USN-4402-1)	Nessus	Ubuntu Local Security Checks	high
137822	Slackware 14.0 / 14.1 / 14.2 / current : curl (SSA:2020-176-01)	Nessus	Slackware Local Security Checks	high
137792	FreeBSD : curl -- multiple vulnerabilities (6bff5ca6-b61a-11ea-aef4-08002728f74c)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2020-8169

high

Tenable Plugins

critical

critical

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high