CURL-CVE-2016-0754

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2016-0754.html

Import Source

https://curl.se/docs/CURL-CVE-2016-0754.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2016-0754

Aliases

CVE-2016-0754

Published

2016-01-27T08:00:00Z

Modified

2024-07-02T09:22:24Z

Summary

remote filename path traversal in curl tool for Windows

Details

curl does not sanitize colons in a remote filename that is used as the local filename. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows is the only OS where this vulnerability applies.

curl offers command line options --remote-name (also usable as -O) and --remote-header-name (also usable as -J). When both of those options are used together (-OJ) and the server provides a remote filename for the content, curl writes its output to that server-provided filename, as long as that file does not already exist. If it does exist curl fails to write.

If both options are used together (-OJ) but the server does not provide a remote filename, or if -O is used without -J, curl writes output to a filename based solely on the remote filename in the URL string provided by the user, regardless of whether or not that file already exists.

In either case curl does not sanitize colons in the filename. As a result in Windows it is possible and unintended behavior for curl to write to a file in the working directory of a drive that is not the current drive (i.e. outside the current working directory), and also possible to write to a file's alternate data stream.

For example if curl -OJ and the server sends filename=f:foo curl incorrectly writes foo to the working directory for drive F even if drive F is not the current drive. For a more detailed explanation see the 'MORE BACKGROUND AND EXAMPLE' section towards the end of this advisory.

Though no known exploit is available for this issue at the time of the publication, writing one would be undemanding and could be serious depending on the name of the file and where it ends up being written.

Database specific

{
    "severity": "High",
    "last_affected": "7.46.0",
    "CWE": {
        "desc": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
        "id": "CWE-22"
    },
    "affects": "tool",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2016-0754.html",
    "URL": "https://curl.se/docs/CVE-2016-0754.json"
}

References

Credits

- Ray Satiro (Jay) - FINDER
- Ray Satiro (Jay) - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type: SEMVER
Events: Introduced

4.0

Fixed

7.47.0

Affected versions

4.*

4.0

4.1

4.10

4.2

4.3

4.4

4.5

4.5.1

4.6

4.7

4.8

4.8.1

4.8.2

4.8.3

4.8.4

4.9

5.*

5.0

5.10

5.11

5.2

5.2.1

5.3

5.4

5.5

5.5.1

5.7

5.7.1

5.8

5.9

5.9.1

6.*

6.0

6.1

6.2

6.3

6.3.1

6.4

6.5

6.5.1

6.5.2

7.*

7.1

7.1.1

7.10

7.10.1

7.10.2

7.10.3

7.10.4

7.10.5

7.10.6

7.10.7

7.10.8

7.11.0

7.11.1

7.11.2

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.2

7.2.1

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.3

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.4

7.4.1

7.4.2

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.5

7.5.1

7.5.2

7.6

7.6.1

7.7

7.7.1

7.7.2

7.7.3

7.8

7.8.1

7.9

7.9.1

7.9.2

7.9.3

7.9.4

7.9.5

7.9.6

7.9.7

7.9.8