[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248268

 
 

909

 
 

195051

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2019-3822Date: (C)2019-04-30   (M)2024-02-01


libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score : 7.5
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
BID-106950
DSA-4386
GLSA-201903-03
RHSA-2019:3701
USN-3882-1
https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3822
https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf
https://curl.haxx.se/docs/CVE-2019-3822.html
https://security.netapp.com/advisory/ntap-20190315-0001/
https://security.netapp.com/advisory/ntap-20190719-0004/
https://support.f5.com/csp/article/K84141449
https://support.f5.com/csp/article/K84141449?utm_source=f5support&%3Butm_medium=RSS
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

CPE    4
cpe:/o:debian:debian_linux:9.0
cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
...
CWE    1
CWE-787
OVAL    19
oval:org.secpod.oval:def:503382
oval:org.secpod.oval:def:2103499
oval:org.secpod.oval:def:89003369
oval:org.secpod.oval:def:89003325
...

© SecPod Technologies