CVE-2009-0037

The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.
CSRF
Severity
UNKNOWN
AV:N/AC:M/Au:N/C:P/I:P/A:P
Atk. Vector
NETWORK
Atk. Complexity
MEDIUM
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
curlcurl
5.11
curlcurl
6.0
curlcurl
6.1beta
curlcurl
6.2
curlcurl
6.3
curlcurl
6.3.1
curlcurl
6.4
curlcurl
6.5
curlcurl
6.5.1
curlcurl
6.5.2
curlcurl
7.1
curlcurl
7.1.1
curlcurl
7.2
curlcurl
7.2.1
curlcurl
7.3
curlcurl
7.4
curlcurl
7.4.1
curlcurl
7.4.2
curlcurl
7.5
curlcurl
7.5.1
curlcurl
7.5.2
curlcurl
7.6
curlcurl
7.6.1
curlcurl
7.7
curlcurl
7.7.1
curlcurl
7.7.2
curlcurl
7.7.3
curlcurl
7.8
curlcurl
7.8.1
curlcurl
7.8.2
curlcurl
7.9
curlcurl
7.9.1
curlcurl
7.9.2
curlcurl
7.9.3
curlcurl
7.9.4
curlcurl
7.9.5
curlcurl
7.9.6
curlcurl
7.9.7
curlcurl
7.9.8
curlcurl
7.10
curlcurl
7.10.1
curlcurl
7.10.2
curlcurl
7.10.3
curlcurl
7.10.4
curlcurl
7.10.5
curlcurl
7.10.6
curlcurl
7.10.7
curlcurl
7.10.8
curlcurl
7.11.1
curlcurl
7.12
curlcurl
7.12.1
curlcurl
7.12.2
curlcurl
7.13
curlcurl
7.13.2
curlcurl
7.14
curlcurl
7.14.1
curlcurl
7.15
curlcurl
7.15.1
curlcurl
7.15.3
curlcurl
7.16.3
curlcurl
7.16.4
curlcurl
7.17
curlcurl
7.18
curlcurl
7.19.3
curllibcurl
5.11
curllibcurl
7.12
curllibcurl
7.12.1
curllibcurl
7.12.2
curllibcurl
7.12.3
curllibcurl
7.13
curllibcurl
7.13.1
curllibcurl
7.13.2
curllibcurl
7.14
curllibcurl
7.14.1
curllibcurl
7.15
curllibcurl
7.15.1
curllibcurl
7.15.2
curllibcurl
7.15.3
curllibcurl
7.16.3
curllibcurl
7.19.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
intrepid
Fixed 7.18.2-1ubuntu4.1
released
hardy
Fixed 7.18.0-1ubuntu2.1
released
gutsy
Fixed 7.16.4-2ubuntu1.1
released
dapper
Fixed 7.15.1-1ubuntu3.1
released
References