CVE-2015-3144
EPSS 1.2%
Description
The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."
How to fix CVE-2015-3144
To remediate CVE-2015-3144, upgrade the affected package to a fixed version below.
- Debian/curl—upgrade to 7.42.0-1 or later
Is CVE-2015-3144 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 7.42.0-1