CVE-2009-0037

Exploit

EPSS 7.81%
Veröffentlicht 05.03.2009 02:30:00
Zuletzt bearbeitet 16.06.2026 23:04:08
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 35

NVD 80 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Curl ≫ Curl Version5.11

Curl ≫ Curl Version6.0

Curl ≫ Curl Version6.1beta

Curl ≫ Curl Version6.2

Curl ≫ Curl Version6.3

Curl ≫ Curl Version6.3.1

Curl ≫ Curl Version6.4

Curl ≫ Curl Version6.5

Curl ≫ Curl Version6.5.1

Curl ≫ Curl Version6.5.2

Curl ≫ Curl Version7.1

Curl ≫ Curl Version7.1.1

Curl ≫ Curl Version7.2

Curl ≫ Curl Version7.2.1

Curl ≫ Curl Version7.3

Curl ≫ Curl Version7.4

Curl ≫ Curl Version7.4.1

Curl ≫ Curl Version7.4.2

Curl ≫ Curl Version7.5

Curl ≫ Curl Version7.5.1

Curl ≫ Curl Version7.5.2

Curl ≫ Curl Version7.6

Curl ≫ Curl Version7.6.1

Curl ≫ Curl Version7.7

Curl ≫ Curl Version7.7.1

Curl ≫ Curl Version7.7.2

Curl ≫ Curl Version7.7.3

Curl ≫ Curl Version7.8

Curl ≫ Curl Version7.8.1

Curl ≫ Curl Version7.8.2

Curl ≫ Curl Version7.9

Curl ≫ Curl Version7.9.1

Curl ≫ Curl Version7.9.2

Curl ≫ Curl Version7.9.3

Curl ≫ Curl Version7.9.4

Curl ≫ Curl Version7.9.5

Curl ≫ Curl Version7.9.6

Curl ≫ Curl Version7.9.7

Curl ≫ Curl Version7.9.8

Curl ≫ Curl Version7.10

Curl ≫ Curl Version7.10.1

Curl ≫ Curl Version7.10.2

Curl ≫ Curl Version7.10.3

Curl ≫ Curl Version7.10.4

Curl ≫ Curl Version7.10.5

Curl ≫ Curl Version7.10.6

Curl ≫ Curl Version7.10.7

Curl ≫ Curl Version7.10.8

Curl ≫ Curl Version7.11.1

Curl ≫ Curl Version7.12

Curl ≫ Curl Version7.12.1

Curl ≫ Curl Version7.12.2

Curl ≫ Curl Version7.13

Curl ≫ Curl Version7.13.2

Curl ≫ Curl Version7.14

Curl ≫ Curl Version7.14.1

Curl ≫ Curl Version7.15

Curl ≫ Curl Version7.15.1

Curl ≫ Curl Version7.15.3

Curl ≫ Curl Version7.16.3

Curl ≫ Curl Version7.16.4

Curl ≫ Curl Version7.17

Curl ≫ Curl Version7.18

Curl ≫ Curl Version7.19.3

Curl ≫ Libcurl Version5.11

Curl ≫ Libcurl Version7.12

Curl ≫ Libcurl Version7.12.1

Curl ≫ Libcurl Version7.12.2

Curl ≫ Libcurl Version7.12.3

Curl ≫ Libcurl Version7.13

Curl ≫ Libcurl Version7.13.1

Curl ≫ Libcurl Version7.13.2

Curl ≫ Libcurl Version7.14

Curl ≫ Libcurl Version7.14.1

Curl ≫ Libcurl Version7.15

Curl ≫ Libcurl Version7.15.1

Curl ≫ Libcurl Version7.15.2

Curl ≫ Libcurl Version7.15.3

Curl ≫ Libcurl Version7.16.3

Curl ≫ Libcurl Version7.19.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	7.81%	0.939

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://support.apple.com/kb/HT4077

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html

http://secunia.com/advisories/34259

http://lists.vmware.com/pipermail/security-announce/2009/000060.html

http://secunia.com/advisories/35766

http://www.securityfocus.com/archive/1/504849/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2009-0009.html

http://www.vupen.com/english/advisories/2009/1865

http://curl.haxx.se/docs/adv_20090303.html

Patch

Vendor Advisory

http://curl.haxx.se/lxr/source/CHANGES

Patch

Vendor Advisory

http://secunia.com/advisories/34138

Vendor Advisory

http://secunia.com/advisories/34202

http://secunia.com/advisories/34237

http://secunia.com/advisories/34251

http://secunia.com/advisories/34255

http://secunia.com/advisories/34399

http://security.gentoo.org/glsa/glsa-200903-21.xml

http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.476602

http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0042

http://www.debian.org/security/2009/dsa-1738

http://www.redhat.com/support/errata/RHSA-2009-0341.html

http://www.securityfocus.com/archive/1/501757/100/0/threaded

http://www.securityfocus.com/bid/33962

Patch

Exploit

http://www.securitytracker.com/id?1021783

http://www.ubuntu.com/usn/USN-726-1

http://www.vupen.com/english/advisories/2009/0581

Patch

Vendor Advisory

http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/

http://www.withdk.com/archives/Libcurl_arbitrary_file_access.pdf

https://exchange.xforce.ibmcloud.com/vulnerabilities/49030

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11054

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6074

https://nvd.nist.gov/vuln/detail/CVE-2009-0037

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-0037

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-0037

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2009-0037