U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NOTICE

NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2021-3520 - There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash.... read CVE-2021-3520
    Published: June 02, 2021; 9:15:13 AM -0400

    V3.1: 9.8 CRITICAL
    V2.0: 7.5 HIGH

  • CVE-2019-20838 - libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.
    Published: June 15, 2020; 1:15:09 PM -0400

    V3.1: 7.5 HIGH
    V2.0: 4.3 MEDIUM

  • CVE-2022-35737 - SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
    Published: August 03, 2022; 2:15:07 AM -0400

    V3.1: 7.5 HIGH

  • CVE-2019-20454 - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which w... read CVE-2019-20454
    Published: February 14, 2020; 9:15:10 AM -0500

    V3.1: 7.5 HIGH
    V2.0: 5.0 MEDIUM

  • CVE-2020-14155 - libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.
    Published: June 15, 2020; 1:15:10 PM -0400

    V3.1: 5.3 MEDIUM
    V2.0: 5.0 MEDIUM

  • CVE-2021-36976 - libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).
    Published: July 20, 2021; 3:15:07 AM -0400

    V3.1: 6.5 MEDIUM
    V2.0: 4.3 MEDIUM

  • CVE-2021-31566 - An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trig... read CVE-2021-31566
    Published: August 23, 2022; 12:15:09 PM -0400

    V3.1: 7.8 HIGH

  • CVE-2022-36227 - In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-... read CVE-2022-36227
    Published: November 21, 2022; 9:15:11 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2020-8169 - curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).
    Published: December 14, 2020; 3:15:13 PM -0500

    V3.1: 7.5 HIGH
    V2.0: 5.0 MEDIUM

  • CVE-2020-8177 - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
    Published: December 14, 2020; 3:15:13 PM -0500

    V3.1: 7.8 HIGH
    V2.0: 4.6 MEDIUM

  • CVE-2020-8231 - Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
    Published: December 14, 2020; 3:15:13 PM -0500

    V3.1: 7.5 HIGH
    V2.0: 5.0 MEDIUM

  • CVE-2020-8284 - A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclos... read CVE-2020-8284
    Published: December 14, 2020; 3:15:13 PM -0500

    V3.1: 3.7 LOW
    V2.0: 4.3 MEDIUM

  • CVE-2020-8285 - curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
    Published: December 14, 2020; 3:15:13 PM -0500

    V3.1: 7.5 HIGH
    V2.0: 5.0 MEDIUM

  • CVE-2020-8286 - curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
    Published: December 14, 2020; 3:15:14 PM -0500

    V3.1: 7.5 HIGH
    V2.0: 5.0 MEDIUM

  • CVE-2021-22876 - curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatica... read CVE-2021-22876
    Published: April 01, 2021; 2:15:12 PM -0400

    V3.1: 5.3 MEDIUM
    V2.0: 5.0 MEDIUM

  • CVE-2021-22890 - curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving ... read CVE-2021-22890
    Published: April 01, 2021; 2:15:12 PM -0400

    V3.1: 3.7 LOW
    V2.0: 4.3 MEDIUM

  • CVE-2021-22897 - curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "stati... read CVE-2021-22897
    Published: June 11, 2021; 12:15:10 PM -0400

    V3.1: 5.3 MEDIUM
    V2.0: 4.3 MEDIUM

  • CVE-2021-22898 - curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending... read CVE-2021-22898
    Published: June 11, 2021; 12:15:11 PM -0400

    V3.1: 3.1 LOW
    V2.0: 2.6 LOW

  • CVE-2021-22901 - curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when a TLS 1.3 session ticket arrives over a connection. A malicious server can use this in rare unfortunate circumstances to poten... read CVE-2021-22901
    Published: June 11, 2021; 12:15:11 PM -0400

    V3.1: 8.1 HIGH
    V2.0: 6.8 MEDIUM

  • CVE-2021-22922 - When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs... read CVE-2021-22922
    Published: August 05, 2021; 5:15:11 PM -0400

    V3.1: 6.5 MEDIUM
    V2.0: 4.3 MEDIUM

Created September 20, 2022 , Updated February 13, 2024