{"id":"CURL-CVE-2016-0754","summary":"remote filename path traversal in curl tool for Windows","details":"curl does not sanitize colons in a remote filename that is used as the local\nfilename. This may lead to a vulnerability on systems where the colon is a\nspecial path character. Currently Windows is the only OS where this\nvulnerability applies.\n\ncurl offers command line options --remote-name (also usable as `-O`) and\n`--remote-header-name` (also usable as `-J`). When both of those options are\nused together (-OJ) and the server provides a remote filename for the content,\ncurl writes its output to that server-provided filename, as long as that file\ndoes not already exist. If it does exist curl fails to write.\n\nIf both options are used together (`-OJ`) but the server does not provide a\nremote filename, or if `-O` is used without `-J`, curl writes output to a\nfilename based solely on the remote filename in the URL string provided by the\nuser, regardless of whether or not that file already exists.\n\nIn either case curl does not sanitize colons in the filename. As a result in\nWindows it is possible and unintended behavior for curl to write to a file in\nthe working directory of a drive that is not the current drive (i.e. outside\nthe current working directory), and also possible to write to a file's\nalternate data stream.\n\nFor example if curl `-OJ` and the server sends filename=f:foo curl incorrectly\nwrites foo to the working directory for drive F even if drive F is not the\ncurrent drive. For a more detailed explanation see the 'MORE BACKGROUND AND\nEXAMPLE' section towards the end of this advisory.\n\nThough no known exploit is available for this issue at the time of the\npublication, writing one would be undemanding and could be serious depending\non the name of the file and where it ends up being written.","aliases":["CVE-2016-0754"],"modified":"2024-07-02T09:22:24Z","published":"2016-01-27T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2016-0754.html","severity":"High","last_affected":"7.46.0","affects":"tool","CWE":{"desc":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","id":"CWE-22"},"package":"curl","URL":"https://curl.se/docs/CVE-2016-0754.json"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"4.0"},{"fixed":"7.47.0"}]}],"versions":["7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4","5.3","5.2.1","5.2","5.0","4.10","4.9","4.8.4","4.8.3","4.8.2","4.8.1","4.8","4.7","4.6","4.5.1","4.5","4.4","4.3","4.2","4.1","4.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2016-0754.json"}}],"schema_version":"1.7.3","credits":[{"name":"Ray Satiro (Jay)","type":"FINDER"},{"name":"Ray Satiro (Jay)","type":"REMEDIATION_DEVELOPER"}]}