Main Vulnerability Database SB2012020208

SB2012020208 - SQL injection in curl (Alpine package)

Published: February 2, 2012

Security Bulletin ID SB2012020208

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2012-0036)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=6e5c47e2e08e17d1a42d9f3865eec2d6a0a941fd
https://git.alpinelinux.org/aports/commit/?id=76b7efcfd70b565bb63160dca4268c99f6d0770c
https://git.alpinelinux.org/aports/commit/?id=8fdf25f4310c5206bb1aac5d052d642b65c7bced