{"id":"CURL-CVE-2012-0036","summary":"URL sanitization vulnerability","details":"curl is vulnerable to a data injection attack for certain protocols through\ncontrol characters embedded or percent-encoded in URLs.\n\nWhen parsing URLs, libcurl's parser is liberal and only parses as little as\npossible and lets as much as possible through as long as it can figure out\nwhat to do.\n\nIn the specific process when libcurl extracts the file path part from a given\nURL, it did not always verify the data or escape control characters properly\nbefore it passed the file path on to the protocol-specific code that then\nwould use it for its protocol business.\n\nThis passing through of control characters could be exploited by someone who\nwould be able to pass in a handcrafted URL to libcurl. Lots of libcurl\nusing applications let users enter URLs in one form or another and not all\nof these check the input carefully to prevent malicious ones.\n\nA malicious user might pass in %0d%0a to get treated as CR LF by libcurl,\nand by using this fact a user can trick for example a POP3 client to delete\na message instead of getting it or trick an SMTP server to send an\nunintended message.\n\nThis vulnerability can be used to fool libcurl with the following protocols:\nIMAP, POP3 and SMTP.\n\nBoth curl the command line tool and applications using the libcurl library\nare vulnerable.","aliases":["CVE-2012-0036"],"modified":"2024-06-07T13:53:51Z","published":"2012-01-24T08:00:00Z","database_specific":{"last_affected":"7.23.1","CWE":{"id":"CWE-93","desc":"Improper Neutralization of CRLF Sequences ('CRLF Injection')"},"severity":"High","affects":"both","package":"curl","URL":"https://curl.se/docs/CVE-2012-0036.json","www":"https://curl.se/docs/CVE-2012-0036.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.20.0"},{"fixed":"7.24.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ec3bb8f727405642a471b4b1b9eb0118fc003104"},{"fixed":"75ca568fa1c19de4c5358fed246686de8467c238"}]}],"versions":["7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0"],"database_specific":{"vanir_signatures":[{"digest":{"length":778,"function_hash":"32760302044978136694694616851143496895"},"id":"CURL-CVE-2012-0036-456f5601","signature_type":"Function","deprecated":false,"target":{"function":"curl_easy_unescape","file":"lib/escape.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"length":276,"function_hash":"152104772657650281014913442859453270711"},"id":"CURL-CVE-2012-0036-553b6914","signature_type":"Function","deprecated":false,"target":{"function":"pop3_parse_url_path","file":"lib/pop3.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"line_hashes":["289676663242325435267868212977011687307","160387536605704657018233122569268263304","92597149843839205712255017020079115968","274157020583527495237254044782395518469","200919635163494845738189419422214661121","65794685510059560304806326818645704018","266438864602169172734384918140951829578","191177376832551999170018048198747581045","6809147141095717193347317035618580359","145874760779299490006054639306198637531"],"threshold":0.9},"id":"CURL-CVE-2012-0036-624d8f89","signature_type":"Line","deprecated":false,"target":{"file":"lib/smtp.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"line_hashes":["93979085212023086335496714947826050648","192030158730807940704905155969957507456","33866927890473040590271847428075567261","134741031626372711275934653333806451076","276729252764961996990345163913039205277","609071054598281033347412030886372154","276687285254725751356491384739755483014"],"threshold":0.9},"id":"CURL-CVE-2012-0036-71dc209e","signature_type":"Line","deprecated":false,"target":{"file":"lib/pop3.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"length":1680,"function_hash":"18792604035435366741779047997625955256"},"id":"CURL-CVE-2012-0036-91f62907","signature_type":"Function","deprecated":false,"target":{"function":"smtp_connect","file":"lib/smtp.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"length":320,"function_hash":"6109148621262558420891667288922420960"},"id":"CURL-CVE-2012-0036-bc11a78c","signature_type":"Function","deprecated":false,"target":{"function":"imap_parse_url_path","file":"lib/imap.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"line_hashes":["316333213457632560275226530092665608511"],"threshold":0.9},"id":"CURL-CVE-2012-0036-be655541","signature_type":"Line","deprecated":false,"target":{"file":"lib/escape.h"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"line_hashes":["140151261084006111940384725971902544788","71580518163669793850389642003202646860","11055424790199774428392885293499855310","10925956037217612288499997824926288430","208967052605487422501912778702236265077","224978158997788912236791628493999668903","284091673971244838382481629813452061954","205633132920762477056722988473810885418","338555381113413773433392830306624408731","159724580327305969477773486205581777239","230359298790232151546151375568713282537","176107535372052773378218516440692428001","88745411210071234795521126396892078954","207007643963193044746503163552047132600","213983233427491673526939329258471326466","255680405370464422441966423415584430158","235990154475620412780621041803171151976","335124765750299065768615596547544682338","58784927759640683104964291101268426061","82848816936467863747260426720814252157","235145636205135925358319186500172888574","299984412191346995505451269155393642795","146153906180071128783307485341747377591","34028128994086077614609585700696124969","205359566614365261718335179346377386115","282610812952785867002175241175263450358","287547144016351866940040211953137688341","273585505505769007689193357125103497529","251662503061439816585233262378423492800","117684779806378092946138161705405546497","49154799679047531798682057871127059276","317854559165001061558830270224445291290","90119725440096142626163397690966710702","301641073719193632347246762738344100256","78419343791526398450136944876848592245","313352812519909742008246103878542801080","221982855234903303034067508504088450534"],"threshold":0.9},"id":"CURL-CVE-2012-0036-cf00bd0d","signature_type":"Line","deprecated":false,"target":{"file":"lib/escape.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"},{"digest":{"line_hashes":["202160315350861099161275150163685815628","141101287653505749336645867194515640195","170359114088748731142094564011087818069","292445525563717612931397714816157588850","253058341508099941085631478667448754731","76963453034593604468130511872747922103","17612194269769254357862415002720399373","30415333653559358871351985751216394717","332492076157895845734438527369494618844","186345301373238546127731757258610194549"],"threshold":0.9},"id":"CURL-CVE-2012-0036-e8d2d65d","signature_type":"Line","deprecated":false,"target":{"file":"lib/imap.c"},"source":"https://github.com/curl/curl.git/commit/75ca568fa1c19de4c5358fed246686de8467c238","signature_version":"v1"}],"source":"https://curl.se/docs/CURL-CVE-2012-0036.json"}}],"schema_version":"1.7.3","credits":[{"name":"Dan Fandrich","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}