CVE-2019-3822

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header.

Published : 2019-02-06 20:29 Updated : 2019-07-19 09:15

7.5
CVSS Score More info
Score 7.5 / 10
7.5
Vendor Product Version URI
Haxx Libcurl 7.36.0 cpe:/a:haxx:libcurl:7.36.0
Haxx Libcurl 7.37.0 cpe:/a:haxx:libcurl:7.37.0
Haxx Libcurl 7.37.1 cpe:/a:haxx:libcurl:7.37.1
Haxx Libcurl 7.38.0 cpe:/a:haxx:libcurl:7.38.0
Haxx Libcurl 7.39 cpe:/a:haxx:libcurl:7.39
Haxx Libcurl 7.39.0 cpe:/a:haxx:libcurl:7.39.0
Haxx Libcurl 7.40.0 cpe:/a:haxx:libcurl:7.40.0
Haxx Libcurl 7.41.0 cpe:/a:haxx:libcurl:7.41.0
Haxx Libcurl 7.42 cpe:/a:haxx:libcurl:7.42
Haxx Libcurl 7.42.0 cpe:/a:haxx:libcurl:7.42.0
Haxx Libcurl 7.42.1 cpe:/a:haxx:libcurl:7.42.1
Haxx Libcurl 7.43.0 cpe:/a:haxx:libcurl:7.43.0
Haxx Libcurl 7.44.0 cpe:/a:haxx:libcurl:7.44.0
Haxx Libcurl 7.45.0 cpe:/a:haxx:libcurl:7.45.0
Haxx Libcurl 7.46.0 cpe:/a:haxx:libcurl:7.46.0
Haxx Libcurl 7.47.0 cpe:/a:haxx:libcurl:7.47.0
Haxx Libcurl 7.47.1 cpe:/a:haxx:libcurl:7.47.1
Haxx Libcurl 7.48.0 cpe:/a:haxx:libcurl:7.48.0
Haxx Libcurl 7.49.0 cpe:/a:haxx:libcurl:7.49.0
Haxx Libcurl 7.49.1 cpe:/a:haxx:libcurl:7.49.1
Haxx Libcurl 7.50.0 cpe:/a:haxx:libcurl:7.50.0
Haxx Libcurl 7.50.1 cpe:/a:haxx:libcurl:7.50.1
Haxx Libcurl 7.50.2 cpe:/a:haxx:libcurl:7.50.2
Haxx Libcurl 7.50.3 cpe:/a:haxx:libcurl:7.50.3
Haxx Libcurl 7.51.0 cpe:/a:haxx:libcurl:7.51.0
Haxx Libcurl 7.52.0 cpe:/a:haxx:libcurl:7.52.0
Haxx Libcurl 7.52.1 cpe:/a:haxx:libcurl:7.52.1
Haxx Libcurl 7.53.0 cpe:/a:haxx:libcurl:7.53.0
Haxx Libcurl 7.53.1 cpe:/a:haxx:libcurl:7.53.1
Haxx Libcurl 7.54.0 cpe:/a:haxx:libcurl:7.54.0
Haxx Libcurl 7.54.1 cpe:/a:haxx:libcurl:7.54.1
Haxx Libcurl 7.55.0 cpe:/a:haxx:libcurl:7.55.0
Haxx Libcurl 7.55.1 cpe:/a:haxx:libcurl:7.55.1
Haxx Libcurl 7.56.0 cpe:/a:haxx:libcurl:7.56.0
Haxx Libcurl 7.56.1 cpe:/a:haxx:libcurl:7.56.1
Haxx Libcurl 7.57.0 cpe:/a:haxx:libcurl:7.57.0
Haxx Libcurl 7.58.0 cpe:/a:haxx:libcurl:7.58.0
Haxx Libcurl 7.59.0 cpe:/a:haxx:libcurl:7.59.0
Haxx Libcurl 7.60.0 cpe:/a:haxx:libcurl:7.60.0
Haxx Libcurl 7.61.0 cpe:/a:haxx:libcurl:7.61.0
Haxx Libcurl 7.61.1 cpe:/a:haxx:libcurl:7.61.1
Haxx Libcurl 7.62.0 cpe:/a:haxx:libcurl:7.62.0
Haxx Libcurl 7.63.0 cpe:/a:haxx:libcurl:7.63.0
Canonical Ubuntu Linux 16.04 cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Canonical Ubuntu Linux 18.04 cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~
Canonical Ubuntu Linux 18.10 cpe:/o:canonical:ubuntu_linux:18.10
Debian Debian Linux 9.0 cpe:/o:debian:debian_linux:9.0
Oracle Communications Operations Monitor 3.4 cpe:/a:oracle:communications_operations_monitor:3.4
Oracle Communications Operations Monitor 4.0 cpe:/a:oracle:communications_operations_monitor:4.0
Oracle Http Server 12.2.1.3.0 cpe:/a:oracle:http_server:12.2.1.3.0
Oracle Secure Global Desktop 5.4 cpe:/a:oracle:secure_global_desktop:5.4
Siemens Sinema Remote Connect Client 2.0 cpe:/a:siemens:sinema_remote_connect_client:2.0
Canonical Ubuntu Linux 14.04 cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
Netapp Clustered Data Ontap cpe:/o:netapp:clustered_data_ontap
  1. Canonical (1) Search CVE
    1. Ubuntu Linux (4) Search CVE
      1. 16.04
      2. 18.04
      3. 18.10
      4. 14.04
  2. Netapp (1) Search CVE
    1. Clustered Data Ontap (1) Search CVE
  3. Oracle (3) Search CVE
    1. Communications Operations Monitor (2) Search CVE
      1. 3.4
      2. 4.0
    2. Http Server (1) Search CVE
      1. 12.2.1.3.0
    3. Secure Global Desktop (1) Search CVE
      1. 5.4
  4. Haxx (1) Search CVE
    1. Libcurl (43) Search CVE
      1. 7.36.0
      2. 7.37.0
      3. 7.37.1
      4. 7.38.0
      5. 7.39
      6. 7.39.0
      7. 7.40.0
      8. 7.41.0
      9. 7.42
      10. 7.42.0
      11. 7.42.1
      12. 7.43.0
      13. 7.44.0
      14. 7.45.0
      15. 7.46.0
      16. 7.47.0
      17. 7.47.1
      18. 7.48.0
      19. 7.49.0
      20. 7.49.1
      21. 7.50.0
      22. 7.50.1
      23. 7.50.2
      24. 7.50.3
      25. 7.51.0
      26. 7.52.0
      27. 7.52.1
      28. 7.53.0
      29. 7.53.1
      30. 7.54.0
      31. 7.54.1
      32. 7.55.0
      33. 7.55.1
      34. 7.56.0
      35. 7.56.1
      36. 7.57.0
      37. 7.58.0
      38. 7.59.0
      39. 7.60.0
      40. 7.61.0
      41. 7.61.1
      42. 7.62.0
      43. 7.63.0
  5. Siemens (1) Search CVE
    1. Sinema Remote Connect Client (1) Search CVE
      1. 2.0
  6. Debian (1) Search CVE
    1. Debian Linux (1) Search CVE
      1. 9.0

CWE

ID Name Description Links
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. CVE

History of changes

Date Event
2019-07-19 09:15
2019-04-26 15:53
2019-04-23 19:32
2019-04-09 13:29
2019-03-18 19:25
2019-03-15 10:29
2019-03-13 16:24
2019-03-11 11:29
2019-02-14 20:12
2019-02-09 11:29
2019-02-07 11:29
2019-02-06 20:29

New CVE