CVE-2019-5481: Double Free
First published: Wed Sep 11 2019(Updated: )
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/curl | 7.64.0-4+deb10u2 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2 | |
| debian/curl | <=7.52.1-5+deb9u9<=7.64.0-4<=7.65.3-1<=7.52.1-1 | |
| Haxx Curl | >=7.52.0<=7.65.3 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Netapp Cloud Backup | ||
| Netapp Steelstore | ||
| Netapp Solidfire Baseboard Management Controller Firmware | ||
| Netapp Solidfire Baseboard Management Controller | ||
| Oracle Communications Operations Monitor | =3.4 | |
| Oracle Communications Operations Monitor | =4.0 | |
| Oracle Communications Operations Monitor | =4.1 | |
| Oracle Communications Operations Monitor | =4.2 | |
| Oracle Communications Operations Monitor | =4.3 | |
| Oracle Communications Session Border Controller | =8.3 | |
| Oracle Communications Session Border Controller | =8.4 | |
| Oracle Enterprise Manager Ops Center | =12.3.3 | |
| Oracle Enterprise Manager Ops Center | =12.4.0 | |
| Oracle Mysql Server | >=5.7.0<=5.7.28 | |
| Oracle Mysql Server | >=8.0.0<=8.0.18 | |
| Oracle OSS Support Tools | =20.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://curl.haxx.se/docs/CVE-2019-5481.html
- https://github.com/curl/curl/commit/0649433da53c7165f839e24e889e131e2894dd32
- https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5
- https://security-tracker.debian.org/tracker/CVE-2019-5481
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481
- https://security-tracker.debian.org/tracker/CVE-2019-5482
- https://curl.haxx.se/docs/CVE-2019-5482.html
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940009
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/
- https://seclists.org/bugtraq/2020/Feb/36
- https://security.gentoo.org/glsa/202003-29
- https://security.netapp.com/advisory/ntap-20191004-0003/
- https://www.debian.org/security/2020/dsa-4633
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/
Frequently Asked Questions
What is CVE-2019-5481?
CVE-2019-5481 is a double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
What is the severity of CVE-2019-5481?
CVE-2019-5481 has a severity rating of 9.8 (critical).
How can I fix the double-free vulnerability in cURL (CVE-2019-5481)?
To fix the double-free vulnerability in cURL (CVE-2019-5481), update to version 7.64.0-4+deb10u2, 7.64.0-4+deb10u7, 7.74.0-1.3+deb11u9, 7.74.0-1.3+deb11u10, 7.88.1-10+deb12u3, 7.88.1-10+deb12u4, or 8.4.0-2.
What software versions are affected by CVE-2019-5481?
CVE-2019-5481 affects cURL versions 7.52.0 to 7.65.3.
What is the Common Weakness Enumeration (CWE) ID for CVE-2019-5481?
The Common Weakness Enumeration (CWE) ID for CVE-2019-5481 is 415.
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2019-5481
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.52.0
- version/haxx curl/7.65.3
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp steelstore
- canonical/netapp solidfire baseboard management controller firmware
- canonical/netapp solidfire baseboard management controller
- vendor/oracle
- canonical/oracle communications operations monitor
- version/oracle communications operations monitor/3.4
- version/oracle communications operations monitor/4.0
- version/oracle communications operations monitor/4.1
- version/oracle communications operations monitor/4.2
- version/oracle communications operations monitor/4.3
- canonical/oracle communications session border controller
- version/oracle communications session border controller/8.3
- version/oracle communications session border controller/8.4
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.3.3
- version/oracle enterprise manager ops center/12.4.0
- canonical/oracle mysql server
- version/oracle mysql server/5.7.0
- version/oracle mysql server/5.7.28
- version/oracle mysql server/8.0.0
- version/oracle mysql server/8.0.18
- canonical/oracle oss support tools
- version/oracle oss support tools/20.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1