Skip to content

curl: Multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177)

CVE-2020-8169: Partial password leak over DNS on HTTP redirect

Libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded. In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: http://user:password@host/path. In this case, the name and password are URL encoded as that's how they appear in URLs.

  • Affected versions: libcurl 7.62.0 to and including 7.70.0
  • Not affected versions: libcurl < 7.62.0

Fixed In Version:

curl 7.71.0

References:

CVE-2020-8177: curl overwrite local file with -J

Curl can be tricked my a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--head) in the same command line.

The command line tool offers the -J option that saves a remote file using the file name present in the Content-Disposition: response header. curl then refuses to overwrite an existing local file using the same name, if one already exists in the current directory.

The -J flag is designed to save a response body, and so it doesn't work together with -i and there's logic that forbids it. However, the check is flawed and doesn't properly check for when the options are used in the reversed order: first using -J and then -i were mistakenly accepted.

  • Affected versions: curl 7.20.0 to and including 7.70.0
  • Not affected versions: curl < 7.20.0 and curl >= 7.71.0

Fixed In Version:

curl 7.71.0

References:

Affected branches:

  • master
  • 3.12-stable
  • 3.11-stable
  • 3.10-stable
  • 3.9-stable
Edited by Leo
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information