CVE-2012-0036

Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 13 Apr 2012, 20:00
Last modified:06 Aug 2024, 18:09

Vulnerability Summary

Overall Risk (default)
medium
32/100
CVSS Score
7.5 HIGH
v2.0 (nvd)
EPSS Score
10.34% MEDIUM
10% probability +3.81%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

13 Apr 2012, 20:00
Published
Vulnerability first disclosed
06 Aug 2024, 18:09
Last Modified
Vulnerability information updated

Description

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

CVSS Metrics

  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 10.34% Percentile: 93%

Techniques & Countermeasures

  • CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

  • curlcurl

    7.20.0 | 7.20.1 | 7.21.0 | 7.21.1 | 7.21.2 | 7.21.3 | 7.21.4 | 7.21.5 | 7.21.6 | 7.21.7 | 7.22.0 | 7.23.0 | 7.23.1

  • curllibcurl

    7.20.0 | 7.20.1 | 7.21.0 | 7.21.1 | 7.21.2 | 7.21.3 | 7.21.4 | 7.21.5 | 7.21.6 | 7.21.7 | 7.22.0 | 7.23.0 | 7.23.1

References (15)