Vulnerability Name:

CVE-2010-3842 (CCN-62556)

Assigned:2010-10-13
Published:2010-10-13
Updated:2010-10-28
Summary:Absolute path traversal vulnerability in curl 7.20.0 through 7.21.1, when the --remote-header-name or -J option is used, allows remote servers to create or overwrite arbitrary files by using \ (backslash) as a separator of path components within the Content-disposition HTTP header.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-22
Vulnerability Consequences:File Manipulation
References:Source: CCN
Type: cURL Web page
cURL

Source: CCN
Type: Project cURL Security Advisory, October 13th 2010
curl local file overwrite

Source: CONFIRM
Type: Vendor Advisory
http://curl.haxx.se/docs/adv_20101013.html

Source: MITRE
Type: CNA
CVE-2010-3842

Source: CCN
Type: SA39532
cURL Content-Disposition Header Filename Parsing Vulnerability

Source: SECUNIA
Type: Vendor Advisory
39532

Source: CCN
Type: SECTRACK ID: 1024583
cURL 'Content-disposition' Header Processing Flaw Lets Remote Users Overwrite Files and Potentially

Source: SECTRACK
Type: UNKNOWN
1024583

Source: MLIST
Type: UNKNOWN
[oss-security] 20101013 CVE Request -- cURL / mingw32-cURL -- Did not strip directory parts separated by backslashes, when downloading files

Source: MLIST
Type: Patch
[oss-security] 20101013 Re: CVE Request -- cURL / mingw32-cURL -- Did not strip directory parts separated by backslashes, when downloading files

Source: MLIST
Type: UNKNOWN
[oss-security] 20101013 Re: CVE Request -- cURL / mingw32-cURL -- Did not strip directory parts separated by backslashes, when downloading files

Source: CCN
Type: OSVDB ID: 68698
cURL src/main.c parse_filename() Function Content-Disposition HTTP Header Filename Handling Arbitrary File Overwrite

Source: CCN
Type: BID-44086
curl 'Content-Disposition' HTTP Header Arbitrary File Overwrite Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=642642

Source: XF
Type: UNKNOWN
curl-parsefilename-file-overwrite(62556)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:curl:curl:7.20.0:*:*:*:*:*:*:*
  • OR cpe:/a:curl:curl:7.20.1:*:*:*:*:*:*:*
  • OR cpe:/a:curl:curl:7.21.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:curl:curl:7.20.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    curl curl 7.20.0
    curl curl 7.20.1
    curl curl 7.21.1
    curl curl 7.20.1