Vulnerability Details CVE-2010-0734
content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.048
EPSS Ranking 89.1%
CVSS Severity
CVSS v2 Score 6.8
References
- http://curl.haxx.se/docs/adv_20100209.html
- http://curl.haxx.se/docs/security.html#20100209
- http://curl.haxx.se/libcurl-contentencoding.patch
- http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036744.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037143.html
- http://secunia.com/advisories/38843
- http://secunia.com/advisories/38981
- http://secunia.com/advisories/39087
- http://secunia.com/advisories/39734
- http://secunia.com/advisories/40220
- http://secunia.com/advisories/45047
- http://secunia.com/advisories/48256
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://support.apple.com/kb/HT4188
- http://support.avaya.com/css/P8/documents/100081819
- http://wiki.rpath.com/Advisories:rPSA-2010-0072
- http://www.debian.org/security/2010/dsa-2023
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:062
- http://www.openwall.com/lists/oss-security/2010/02/09/5
- http://www.openwall.com/lists/oss-security/2010/03/09/1
- http://www.openwall.com/lists/oss-security/2010/03/16/11
- http://www.redhat.com/support/errata/RHSA-2010-0329.html
- http://www.securityfocus.com/archive/1/514490/100/0/threaded
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://www.ubuntu.com/usn/USN-1158-1
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://www.vupen.com/english/advisories/2010/0571
- http://www.vupen.com/english/advisories/2010/0602
- http://www.vupen.com/english/advisories/2010/0660
- http://www.vupen.com/english/advisories/2010/0725
- http://www.vupen.com/english/advisories/2010/1481
- https://bugzilla.redhat.com/show_bug.cgi?id=563220
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10760
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6756
- http://curl.haxx.se/docs/adv_20100209.html
- http://curl.haxx.se/docs/security.html#20100209
- http://curl.haxx.se/libcurl-contentencoding.patch
- http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-March/036744.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-March/037143.html
- http://secunia.com/advisories/38843
- http://secunia.com/advisories/38981
- http://secunia.com/advisories/39087
- http://secunia.com/advisories/39734
- http://secunia.com/advisories/40220
- http://secunia.com/advisories/45047
- http://secunia.com/advisories/48256
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://support.apple.com/kb/HT4188
- http://support.avaya.com/css/P8/documents/100081819
- http://wiki.rpath.com/Advisories:rPSA-2010-0072
- http://www.debian.org/security/2010/dsa-2023
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:062
- http://www.openwall.com/lists/oss-security/2010/02/09/5
- http://www.openwall.com/lists/oss-security/2010/03/09/1
- http://www.openwall.com/lists/oss-security/2010/03/16/11
- http://www.redhat.com/support/errata/RHSA-2010-0329.html
- http://www.securityfocus.com/archive/1/514490/100/0/threaded
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://www.ubuntu.com/usn/USN-1158-1
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://www.vupen.com/english/advisories/2010/0571
- http://www.vupen.com/english/advisories/2010/0602
- http://www.vupen.com/english/advisories/2010/0660
- http://www.vupen.com/english/advisories/2010/0725
- http://www.vupen.com/english/advisories/2010/1481
- https://bugzilla.redhat.com/show_bug.cgi?id=563220
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10760
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6756
Products affected by CVE-2010-0734
-
cpe:2.3:a:curl:libcurl:7.10.5
-
cpe:2.3:a:curl:libcurl:7.10.6
-
cpe:2.3:a:curl:libcurl:7.10.7
-
cpe:2.3:a:curl:libcurl:7.10.8
-
cpe:2.3:a:curl:libcurl:7.11.0
-
cpe:2.3:a:curl:libcurl:7.11.1
-
cpe:2.3:a:curl:libcurl:7.11.2
-
cpe:2.3:a:curl:libcurl:7.12
-
cpe:2.3:a:curl:libcurl:7.12.0
-
cpe:2.3:a:curl:libcurl:7.12.1
-
cpe:2.3:a:curl:libcurl:7.12.2
-
cpe:2.3:a:curl:libcurl:7.12.3
-
cpe:2.3:a:curl:libcurl:7.13
-
cpe:2.3:a:curl:libcurl:7.13.1
-
cpe:2.3:a:curl:libcurl:7.13.2
-
cpe:2.3:a:curl:libcurl:7.14
-
cpe:2.3:a:curl:libcurl:7.14.1
-
cpe:2.3:a:curl:libcurl:7.15
-
cpe:2.3:a:curl:libcurl:7.15.1
-
cpe:2.3:a:curl:libcurl:7.15.2
-
cpe:2.3:a:curl:libcurl:7.15.3
-
cpe:2.3:a:curl:libcurl:7.16.3
-
cpe:2.3:a:curl:libcurl:7.17.0
-
cpe:2.3:a:curl:libcurl:7.17.1
-
cpe:2.3:a:curl:libcurl:7.18.0
-
cpe:2.3:a:curl:libcurl:7.18.1
-
cpe:2.3:a:curl:libcurl:7.18.2
-
cpe:2.3:a:curl:libcurl:7.19.0
-
cpe:2.3:a:curl:libcurl:7.19.1
-
cpe:2.3:a:curl:libcurl:7.19.2
-
cpe:2.3:a:curl:libcurl:7.19.3
-
cpe:2.3:a:curl:libcurl:7.19.4
-
cpe:2.3:a:curl:libcurl:7.19.5
-
cpe:2.3:a:curl:libcurl:7.19.6
-
cpe:2.3:a:curl:libcurl:7.19.7