CURL/libcURL Remote Security Restriction Bypass Vulnerability (CVE-2014-8150)

CURL/libcURL Remote Security Restriction Bypass Vulnerability (CVE-2014-8150)

Release date:
Updated on:

Affected Systems:
CURL 6.0-7.39.0
Unaffected system:
CURL> = 7.40.0
Description:
Bugtraq id: 71964
CVE (CAN) ID: CVE-2014-8150

CURL/libcURL is a command line FILE transmission tool that supports FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE, and LDAP.

CURL/libcURL 6.0-7.39.0 has the URL request injection vulnerability in the implementation of parseurlandfillconn (). Attackers can exploit this vulnerability to bypass security restrictions and perform unauthorized operations. When a libcurl sends a request to the server through an HTTP proxy, the whole URL will be copied, including the line feed and carriage return, which can enable malicious users to insert invalid request headers.

<* Source: Andrey Labunets

Link: http://curl.haxx.se/docs/adv_20150108B.html
*>

Suggestion:
Vendor patch:

CURL
----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://curl.haxx.se/CVE-2014-8150.patch

Ubuntu users install the download tool cURL 7.36.0

Linux curl

Sharing of Curl usage and common functions in Unix

Curl command

This article permanently updates the link address: