CVE-2012-0036

high

Published 2012-04-13 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.5

Description

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2012-0036 NameCVE-2012-0036 Descriptioncurl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc,…

CVE-2012-0036

Name	CVE-2012-0036
Description	curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2) POP3, or (3) SMTP protocol.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2398-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u16	fixed
	bookworm	7.88.1-10+deb12u14	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	trixie	8.14.1-2+deb13u3	fixed
	forky	8.20.0-2	fixed
	sid	8.20.0-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
curl	source	lenny	7.18.2-8lenny6	DSA-2398-1
curl	source	squeeze	7.21.0-2.1+squeeze1	DSA-2398-1
curl	source	(unstable)	7.24.0-1

Notes

[lenny] - curl <not-affected> (Only affects 7.20.0 to 7.23.1)
http://curl.haxx.se/docs/adv_20120124.html

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[lenny] - curl <not-affected> (Only affects 7.20.0 to 7.23.1)http://curl.haxx.se/docs/adv_20120124.html

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`7.24.0-1`
sid	Fixed	`7.24.0-1`
forky	Fixed	`7.24.0-1`
bullseye	Fixed	`7.24.0-1`
bookworm	Fixed	`7.24.0-1`

Application impact

Vendor	Product	Versions
curl	curl	`7.20.0`
curl	curl	`7.20.1`
curl	curl	`7.21.0`
curl	curl	`7.21.1`
curl	curl	`7.21.2`
curl	curl	`7.21.3`
curl	curl	`7.21.4`
curl	curl	`7.21.5`
curl	curl	`7.21.6`
curl	curl	`7.21.7`
curl	curl	`7.22.0`
curl	curl	`7.23.0`
curl	curl	`7.23.1`
curl	libcurl	`7.20.0`
curl	libcurl	`7.20.1`
curl	libcurl	`7.21.0`
curl	libcurl	`7.21.1`
curl	libcurl	`7.21.2`
curl	libcurl	`7.21.3`
curl	libcurl	`7.21.4`
curl	libcurl	`7.21.5`
curl	libcurl	`7.21.6`
curl	libcurl	`7.21.7`
curl	libcurl	`7.22.0`
curl	libcurl	`7.23.0`
curl	libcurl	`7.23.1`

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.