CVE-2012-0036

EUVD-2012-0076
curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
Affected Products (NVD)
VendorProductVersion
curlcurl
7.20.0
curlcurl
7.20.1
curlcurl
7.21.0
curlcurl
7.21.1
curlcurl
7.21.2
curlcurl
7.21.3
curlcurl
7.21.4
curlcurl
7.21.5
curlcurl
7.21.6
curlcurl
7.21.7
curlcurl
7.22.0
curlcurl
7.23.0
curlcurl
7.23.1
curllibcurl
7.20.0
curllibcurl
7.20.1
curllibcurl
7.21.0
curllibcurl
7.21.1
curllibcurl
7.21.2
curllibcurl
7.21.3
curllibcurl
7.21.4
curllibcurl
7.21.5
curllibcurl
7.21.6
curllibcurl
7.21.7
curllibcurl
7.22.0
curllibcurl
7.23.0
curllibcurl
7.23.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
lenny
not-affected
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
hardy
not-affected
lucid
not-affected
maverick
Fixed 7.21.0-1ubuntu1.3
released
natty
Fixed 7.21.3-1ubuntu1.5
released
oneiric
Fixed 7.21.6-3ubuntu3.2
released
Common Weakness Enumeration
References
http://curl.haxx.se/curl-url-sanitize.patch
http://curl.haxx.se/docs/adv_20120124.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://secunia.com/advisories/48256
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://support.apple.com/kb/HT5281
http://www.debian.org/security/2012/dsa-2398
http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/51665
http://www.securitytracker.com/id/1032924
https://bugzilla.redhat.com/show_bug.cgi?id=773457
https://github.com/bagder/curl/commit/75ca568fa1c19de4c5358fed246686de8467c238
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03760en_us
http://curl.haxx.se/curl-url-sanitize.patch
http://curl.haxx.se/docs/adv_20120124.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://secunia.com/advisories/48256
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://support.apple.com/kb/HT5281
http://www.debian.org/security/2012/dsa-2398
http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.securityfocus.com/bid/51665
http://www.securitytracker.com/id/1032924
https://bugzilla.redhat.com/show_bug.cgi?id=773457
https://github.com/bagder/curl/commit/75ca568fa1c19de4c5358fed246686de8467c238
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03760en_us