{"id":"CURL-CVE-2013-0249","summary":"SASL buffer overflow","details":"libcurl is vulnerable to a buffer overflow vulnerability when communicating\n  with one of the protocols POP3, SMTP or IMAP.\n\n  When negotiating SASL DIGEST-MD5 authentication, the function\n  `Curl_sasl_create_digest_md5_message()` uses the data provided from the\n  server without doing the proper length checks and that data is then appended\n  to a local fixed-size buffer on the stack.\n\n  This vulnerability can be exploited by someone who is in control of a server\n  that a libcurl based program is accessing with POP3, SMTP or IMAP. For\n  applications that accept user provided URLs, it is also thinkable that a\n  malicious user would feed an application with a URL to a server hosting code\n  targeting this flaw.\n\n  This vulnerability can be used for remote code execution (RCE) on vulnerable\n  systems.\n\n  Both curl the command line tool and applications using the libcurl library\n  are vulnerable.","aliases":["CVE-2013-0249"],"modified":"2025-05-15T17:48:29Z","published":"2013-02-06T08:00:00Z","database_specific":{"last_affected":"7.28.1","URL":"https://curl.se/docs/CVE-2013-0249.json","www":"https://curl.se/docs/CVE-2013-0249.html","CWE":{"id":"CWE-121","desc":"Stack-based Buffer Overflow"},"severity":"Critical","package":"curl","affects":"both"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.26.0"},{"fixed":"7.29.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"7a2647e16237a2771f564d432d96a6f198a0eeb5"},{"fixed":"f206d6c055d1008f0edb6d5d5920f0f300b9983a"}]}],"versions":["7.28.1","7.28.0","7.27.0","7.26.0"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_type":"Function","id":"CURL-CVE-2013-0249-88744018","target":{"file":"lib/curl_sasl.c","function":"Curl_sasl_create_digest_md5_message"},"digest":{"function_hash":"159391975882008358046898390206799100549","length":4266},"source":"https://github.com/curl/curl.git/commit/f206d6c055d1008f0edb6d5d5920f0f300b9983a","signature_version":"v1"},{"deprecated":false,"signature_type":"Line","id":"CURL-CVE-2013-0249-a569fc09","target":{"file":"lib/curl_sasl.c"},"digest":{"line_hashes":["59989511861975177197361190156011432999","79579512590841082603164474932071731662","280453228738073661817826478685497407137","89506625971535947860175017236046226369","280895666484554560101695128847421768899","214629372157697119510915090251166590170","268642237863843770458260403252438799062","133091462680146701100609491552370693002","100792198256655150588026348540955117693","303297278804503501138318908643242344458","252888240415055316092147798385173021894","78930870528873899365754725093369671660","160209090977147466735938990453470296139","255727790287437403619558305177521440112","269602557028209153456599712038229022145","258541154434129167735701533018457405107","279509673037591907073454375417859274411","333299968035789361455698972428679370330","134336826008439941072535355758939692634","120815187918675627194893807768291083729","213951811613322502726307840617377267874","207796728171759773922263521994711152364","268429273683657545495713929968282586452"],"threshold":0.9},"source":"https://github.com/curl/curl.git/commit/f206d6c055d1008f0edb6d5d5920f0f300b9983a","signature_version":"v1"}],"source":"https://curl.se/docs/CURL-CVE-2013-0249.json"}}],"schema_version":"1.7.3","credits":[{"name":"Volema","type":"FINDER"},{"name":"Volema","type":"REMEDIATION_DEVELOPER"}]}