ALT-PU-2026-1133-5

BDU:2026-02955

MEDIUM5.3

Уязвимость программного средства для взаимодействия с серверами cURL, связанная с переадресацией URL на ненадежный сайт, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации

Опубликовано: 2026-03-12

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 2.0СРЕДНЯЯ 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N

Ссылки

CVE-2025-14524

BDU:2026-03387

MEDIUM5.3

Уязвимость программного средства для взаимодействия с серверами cURL, связанная с недостатками процедуры аутентификации, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации

Опубликовано: 2026-03-19

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 2.0СРЕДНЯЯ 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N

Ссылки

CVE-2025-15224

BDU:2026-03453

MEDIUM5.3

Уязвимость библиотеки libcurl программного средства для взаимодействия с серверами cURL, позволяющая нарушителю оказать воздействие на конфиденциальность защищаемой информации

Опубликовано: 2026-03-23

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 2.0СРЕДНЯЯ 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:N/A:N

Ссылки

CVE-2025-15079

BDU:2026-05122

MEDIUM6.3

Уязвимость библиотеки libcurl программного средства для взаимодействия с серверами cURL, позволяющая нарушителю вызвать отказ в обслуживании

Опубликовано: 2026-04-14Изменено: 2026-04-20

CVSS 3.xСРЕДНЯЯ 6.3

CVSS:3.x/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS 2.0СРЕДНЯЯ 5.6

CVSS:2.0/AV:L/AC:H/Au:N/C:C/I:C/A:N

Ссылки

CVE-2025-14017

CVE-2025-13034

MEDIUM5.9

When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Опубликовано: 2026-01-08Изменено: 2026-01-20

CVSS 3.xСРЕДНЯЯ 5.9

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Ссылки

CVE-2025-14017

MEDIUM6.3

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Опубликовано: 2026-01-08Изменено: 2026-01-27

CVSS 3.xСРЕДНЯЯ 6.3

CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Ссылки

CVE-2025-14524

MEDIUM5.3

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Опубликовано: 2026-01-08Изменено: 2026-01-20

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Ссылки

CVE-2025-14819

MEDIUM5.3

When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

Опубликовано: 2026-01-08Изменено: 2026-01-20

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Ссылки

CVE-2025-15079

MEDIUM5.3

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Опубликовано: 2026-01-08Изменено: 2026-01-20

CVSS 3.xСРЕДНЯЯ 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Ссылки

CVE-2025-15224

LOW3.1

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Опубликовано: 2026-01-08Изменено: 2026-01-20

CVSS 3.xНИЗКАЯ 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Ссылки

CVE-2026-3784

MEDIUM6.5

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Опубликовано: 2026-03-11Изменено: 2026-03-12

CVSS 3.xСРЕДНЯЯ 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Ссылки

Обновление пакета curl в ветке sisyphus

Закрытые проблемы (11)

Уязвимость библиотеки libcurl программного средства для взаимодействия с серверами cURL, позволяющая нарушителю вызвать отказ в обслуживании

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Обновление пакета curl в ветке sisyphus

Закрытые проблемы (11)

Уязвимость библиотеки libcurl программного средства для взаимодействия с серверами cURL, позволяющая нарушителю вызвать отказ в обслуживании

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts *not present* in the specified file if they were added as recognized in the libssh *global* known_hosts file.

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.