CVE-2015-3144

critical

Published 2015-04-24 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

9.0

Description

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2015-3144 NameCVE-2015-3144 DescriptionThe fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." SourceCVE (at NVD; CERT, ENISA, LWN,…

CVE-2015-3144

Name	CVE-2015-3144
Description	The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
curl (PTS)	bullseye	7.74.0-1.3+deb11u13	fixed
	bullseye (security)	7.74.0-1.3+deb11u16	fixed
	bookworm	7.88.1-10+deb12u14	fixed
	bookworm (security)	7.88.1-10+deb12u5	fixed
	trixie	8.14.1-2+deb13u3	fixed
	forky	8.20.0-2	fixed
	sid	8.20.0-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
curl	source	squeeze	(not affected)
curl	source	wheezy	(not affected)
curl	source	jessie	7.38.0-4+deb8u1
curl	source	(unstable)	7.42.0-1

Notes

[wheezy] - curl <not-affected> (Affects 7.37.0 to and including 7.41.0)
[squeeze] - curl <not-affected> (Affects 7.37.0 to and including 7.41.0)
http://curl.haxx.se/docs/adv_20150422D.html

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[wheezy] - curl <not-affected> (Affects 7.37.0 to and including 7.41.0)[squeeze] - curl <not-affected> (Affects 7.37.0 to and including 7.41.0)http://curl.haxx.se/docs/adv_20150422D.html

OS impact

Ubuntu Affected 4 releases

Version	Status	Fixed in
15.04	Affected	—
14.10	Affected	—
14.04	Affected	—
12.04	Affected	—

Debian Mixed 6 releases

Version	Status	Fixed in
trixie	Fixed	`7.42.0-1`
sid	Fixed	`7.42.0-1`
forky	Fixed	`7.42.0-1`
bullseye	Fixed	`7.42.0-1`
bookworm	Fixed	`7.42.0-1`
7.0	Affected	—

Application impact

Vendor	Product	Versions
oracle	mysql_enterprise_monitor	`{"endIncluding":"2.3.20"}`
haxx	curl	`7.37.0`
haxx	curl	`7.37.1`
haxx	curl	`7.38.0`
haxx	curl	`7.39.0`
haxx	curl	`7.40.0`
haxx	curl	`7.41.0`
haxx	libcurl	`7.37.0`
haxx	libcurl	`7.37.1`
haxx	libcurl	`7.38.0`
haxx	libcurl	`7.39`
haxx	libcurl	`7.40.0`
haxx	libcurl	`7.41.0`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.