6.5

CVE-2017-1000099

EPSS 0.63%
Published 05.10.2017 01:29:04
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

When asking to get a file from a file:// URL, libcurl provides a feature that outputs meta-data about the file using HTTP-like headers. The code doing this would send the wrong buffer to the user (stdout or the application's provide callback), which could lead to other private data from the heap to get inadvertently displayed. The wrong buffer was an uninitialized memory area allocated on the heap and if it turned out to not contain any zero byte, it would continue and display the data following that buffer in memory.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Haxx ≫ Libcurl Version7.54.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.63%	0.692

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://security.gentoo.org/glsa/201709-14

Patch

Third Party Advisory

VDB Entry

http://www.securityfocus.com/bid/100281

Third Party Advisory

VDB Entry

http://www.securitytracker.com/id/1039119

Third Party Advisory

VDB Entry

https://curl.haxx.se/0809C.patch

Patch

Vendor Advisory

https://curl.haxx.se/docs/adv_20170809C.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2017-1000099

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-1000099

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-1000099

EUVD