QwikSec

Security Database

CVE

CWE

Training

CVE-2022-35260

Published: Dec 5, 2022

Modified: Nov 19, 2024

PUBLISHED

Description

curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095 consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-of-service.

Vendor	Product	Versions
n/a	https://github.com/curl/curl	affected `Fixed in 7.86.0`

Weaknesses (CWE)

References

https://hackerone.com/reports/1721098

vendor-advisory

https://security.netapp.com/advisory/ntap-20230110-0006/

https://support.apple.com/kb/HT213604

https://support.apple.com/kb/HT213605

20230123 APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3

mailing-list

20230123 APPLE-SA-2023-01-23-4 macOS Ventura 13.2

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.