Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3650689 by osama-hamad
Version: curl 8.19.0 (and master up to 2e5d219205ebec64a66bfd29bba73dd5049c434f), and likely older versions supporting SMB.
Files: lib/url.c (at url_match_proto_config) and lib/smb.c
libcurl incorrectly reuses SMB connections across different shares on the same server, leading to data spoofing and access control bypass.
When libcurl connects to an SMB share, the smb_setup_connection function parses the URL and saves the target share name into the connection's metadata (smbc->share).
However, during connection reuse, url_match_conn only verifies the hostname, port, and credentials. It does not verify if the new URL's SMB share matches the existing connection's smbc->share. There is no smb_conns_match equivalent in url_match_proto_config.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3697719 by xkilua
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3669637 by joesephdiver
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3642555 by quaccws
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In