CVE-2012-0036

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Published: Apr 13, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-0036
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
curl / curl	7.21.0	7.21.0.x
curl / curl	7.21.6	7.21.6.x
curl / curl	7.21.3	7.21.3.x
curl / curl	7.23.1	7.23.1.x
curl / curl	7.21.2	7.21.2.x
curl / curl	7.21.5	7.21.5.x
curl / curl	7.20.1	7.20.1.x
curl / curl	7.21.7	7.21.7.x
curl / curl	7.22.0	7.22.0.x
curl / curl	7.20.0	7.20.0.x
curl / curl	7.21.1	7.21.1.x
curl / curl	7.21.4	7.21.4.x
curl / curl	7.23.0	7.23.0.x
curl / libcurl	7.21.3	7.21.3.x
curl / libcurl	7.21.0	7.21.0.x
curl / libcurl	7.21.6	7.21.6.x
curl / libcurl	7.20.1	7.20.1.x
curl / libcurl	7.21.1	7.21.1.x
curl / libcurl	7.22.0	7.22.0.x
curl / libcurl	7.20.0	7.20.0.x
curl / libcurl	7.21.5	7.21.5.x
curl / libcurl	7.21.2	7.21.2.x
curl / libcurl	7.23.1	7.23.1.x
curl / libcurl	7.21.4	7.21.4.x
curl / libcurl	7.21.7	7.21.7.x
curl / libcurl	7.23.0	7.23.0.x

Vulnerability Database

289,598

CVE-2012-0036