curl: Multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177)
CVE-2020-8169: Partial password leak over DNS on HTTP redirect
Libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). libcurl can be given a username and password for HTTP authentication when requesting an HTTP resource - used for HTTP Authentication such as Basic, Digest, NTLM and similar. The credentials are set, either together with CURLOPT_USERPWD or separately with CURLOPT_USERNAME and CURLOPT_PASSWORD. Important detail: these strings are given to libcurl as plain C strings and they are not supposed to be URL encoded. In addition, libcurl also allows the credentials to be set in the URL, using the standard RFC 3986 format: http://user:password@host/path. In this case, the name and password are URL encoded as that's how they appear in URLs.
- Affected versions: libcurl 7.62.0 to and including 7.70.0
- Not affected versions: libcurl < 7.62.0
Fixed In Version:
CVE-2020-8177: curl overwrite local file with -J
Curl can be tricked my a malicious server to overwrite a local file when using
--head) in the same command line.
The command line tool offers the
-J option that saves a remote file using
the file name present in the
Content-Disposition: response header. curl then
refuses to overwrite an existing local file using the same name, if one
already exists in the current directory.
-J flag is designed to save a response body, and so it doesn't work
-i and there's logic that forbids it. However, the check is
flawed and doesn't properly check for when the options are used in the
reversed order: first using
-J and then
-i were mistakenly accepted.
- Affected versions: curl 7.20.0 to and including 7.70.0
- Not affected versions: curl < 7.20.0 and curl >= 7.71.0
Fixed In Version: