The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."
2015-04-24T14:59:09.203
2025-04-12T10:46:40.837
Deferred
CVSSv2: 9.0 (HIGH)
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.0
10.0
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | oracle | mysql_enterprise_monitor | ≤ 2.3.20 | Yes |
| Application | oracle | mysql_enterprise_monitor | ≤ 3.0.22 | Yes |
| Application | haxx | curl | 7.37.0 | Yes |
| Application | haxx | curl | 7.37.1 | Yes |
| Application | haxx | curl | 7.38.0 | Yes |
| Application | haxx | curl | 7.39.0 | Yes |
| Application | haxx | curl | 7.40.0 | Yes |
| Application | haxx | curl | 7.41.0 | Yes |
| Application | haxx | libcurl | 7.37.0 | Yes |
| Application | haxx | libcurl | 7.37.1 | Yes |
| Application | haxx | libcurl | 7.38.0 | Yes |
| Application | haxx | libcurl | 7.39 | Yes |
| Application | haxx | libcurl | 7.40.0 | Yes |
| Application | haxx | libcurl | 7.41.0 | Yes |
| Operating System | canonical | ubuntu_linux | 12.04 | Yes |
| Operating System | canonical | ubuntu_linux | 14.04 | Yes |
| Operating System | canonical | ubuntu_linux | 14.10 | Yes |
| Operating System | canonical | ubuntu_linux | 15.04 | Yes |
| Operating System | debian | debian_linux | 7.0 | Yes |