CVE-2009-0037

Exploit

EPSS 3.37%
Veröffentlicht 05.03.2009 02:30:00
Zuletzt bearbeitet 09.04.2025 00:30:58
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 35

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Curl ≫ Curl Version5.11

Curl ≫ Curl Version6.0

Curl ≫ Curl Version6.1beta

Curl ≫ Curl Version6.2

Curl ≫ Curl Version6.3

Curl ≫ Curl Version6.3.1

Curl ≫ Curl Version6.4

Curl ≫ Curl Version6.5

Curl ≫ Curl Version6.5.1

Curl ≫ Curl Version6.5.2

Curl ≫ Curl Version7.1

Curl ≫ Curl Version7.1.1

Curl ≫ Curl Version7.2

Curl ≫ Curl Version7.2.1

Curl ≫ Curl Version7.3

Curl ≫ Curl Version7.4

Curl ≫ Curl Version7.4.1

Curl ≫ Curl Version7.4.2

Curl ≫ Curl Version7.5

Curl ≫ Curl Version7.5.1

Curl ≫ Curl Version7.5.2

Curl ≫ Curl Version7.6

Curl ≫ Curl Version7.6.1

Curl ≫ Curl Version7.7

Curl ≫ Curl Version7.7.1

Curl ≫ Curl Version7.7.2

Curl ≫ Curl Version7.7.3

Curl ≫ Curl Version7.8

Curl ≫ Curl Version7.8.1

Curl ≫ Curl Version7.8.2

Curl ≫ Curl Version7.9

Curl ≫ Curl Version7.9.1

Curl ≫ Curl Version7.9.2

Curl ≫ Curl Version7.9.3

Curl ≫ Curl Version7.9.4

Curl ≫ Curl Version7.9.5

Curl ≫ Curl Version7.9.6

Curl ≫ Curl Version7.9.7

Curl ≫ Curl Version7.9.8

Curl ≫ Curl Version7.10

Curl ≫ Curl Version7.10.1

Curl ≫ Curl Version7.10.2

Curl ≫ Curl Version7.10.3

Curl ≫ Curl Version7.10.4

Curl ≫ Curl Version7.10.5

Curl ≫ Curl Version7.10.6

Curl ≫ Curl Version7.10.7

Curl ≫ Curl Version7.10.8

Curl ≫ Curl Version7.11.1

Curl ≫ Curl Version7.12

Curl ≫ Curl Version7.12.1

Curl ≫ Curl Version7.12.2

Curl ≫ Curl Version7.13

Curl ≫ Curl Version7.13.2

Curl ≫ Curl Version7.14

Curl ≫ Curl Version7.14.1

Curl ≫ Curl Version7.15

Curl ≫ Curl Version7.15.1

Curl ≫ Curl Version7.15.3

Curl ≫ Curl Version7.16.3

Curl ≫ Curl Version7.16.4

Curl ≫ Curl Version7.17

Curl ≫ Curl Version7.18

Curl ≫ Curl Version7.19.3

Curl ≫ Libcurl Version5.11

Curl ≫ Libcurl Version7.12

Curl ≫ Libcurl Version7.12.1

Curl ≫ Libcurl Version7.12.2

Curl ≫ Libcurl Version7.12.3

Curl ≫ Libcurl Version7.13

Curl ≫ Libcurl Version7.13.1

Curl ≫ Libcurl Version7.13.2

Curl ≫ Libcurl Version7.14

Curl ≫ Libcurl Version7.14.1

Curl ≫ Libcurl Version7.15

Curl ≫ Libcurl Version7.15.1

Curl ≫ Libcurl Version7.15.2

Curl ≫ Libcurl Version7.15.3

Curl ≫ Libcurl Version7.16.3

Curl ≫ Libcurl Version7.19.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.37%	0.868

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://support.apple.com/kb/HT4077

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html

http://secunia.com/advisories/34259

http://lists.vmware.com/pipermail/security-announce/2009/000060.html

http://secunia.com/advisories/35766

http://www.securityfocus.com/archive/1/504849/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2009-0009.html

http://www.vupen.com/english/advisories/2009/1865

http://curl.haxx.se/docs/adv_20090303.html

Patch

Vendor Advisory