DEBIAN-CVE-2017-1000101
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 05 Oct 2017, 01:29
Last modified:28 Apr 2026, 20:16
Vulnerability Summary
Overall Risk (default)
medium
26/100 CVSS Score
6.5 MEDIUM
3.0 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
05 Oct 2017, 01:29
Published
Vulnerability first disclosed
28 Apr 2026, 20:16
Last Modified
Vulnerability information updated
Description
curl supports "globbing" of URLs, in which a user can pass a numerical range to have the tool iterate over those numbers to do a sequence of transfers. In the globbing function that parses the numerical range, there was an omission that made curl read a byte beyond the end of the URL if given a carefully crafted, or just wrongly written, URL. The URL is stored in a heap based buffer, so it could then be made to wrongly read something else instead of crashing. An example of a URL that triggers the flaw would be `http://ur%20[0-60000000000000000000`.
CVSS Metrics
- v3.0•MEDIUM•Score: 6.5CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Affected Systems
- debian•curl
< 7.55.0-1 | < 7.55.0-1 | < 7.55.0-1 | < 7.55.0-1