Vulnerability Details : CVE-2015-3237
The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.
Vulnerability category: Input validationDenial of service
Threat overview for CVE-2015-3237
Top countries where our scanners detected CVE-2015-3237
Top open port discovered on systems with this issue
80
IPs affected by CVE-2015-3237 181
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-3237!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-3237
Probability of exploitation activity in the next 30 days: 1.12%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-3237
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2015-3237
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3237
-
http://www.securitytracker.com/id/1036371
Sun GlassFish Enterprise Server Flaws Let Remote Users Access Data, Cause Denial of Service Conditions, and Gain Elevated Privileges - SecurityTracker
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018
-
https://security.gentoo.org/glsa/201509-02
cURL: Multiple vulnerabilities (GLSA 201509-02) — Gentoo security
-
http://www.securityfocus.com/bid/91787
Oracle July 2016 Critical Patch Update Multiple VulnerabilitiesThird Party Advisory;VDB Entry
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160660.html
[SECURITY] Fedora 22 Update: curl-7.40.0-5.fc22
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017
HPSBMU03593 rev.2 - HPE System Management Homepage (SMH), Remote Code Execution, Denial of Service (DoS), Disclosure of Sensitive InformationThird Party Advisory
-
http://www.securityfocus.com/bid/75387
cURL/libcURL 'smb_request_state()' Function Security Vulnerability
-
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Oracle Critical Patch Update - July 2016Patch;Third Party Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
HPSBMU03612 rev.2 - HPE Insight Control on Windows and Linux, Multiple Remote Vulnerabilities
-
http://curl.haxx.se/docs/adv_20150617B.html
curl - SMB send off unrelated memory contents - CVE-2015-3237Vendor Advisory
Products affected by CVE-2015-3237
- cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:glassfish_server:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:glassfish_server:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.42.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.42.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.40.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.41.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.42.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.42.0:*:*:*:*:*:*:*