{"containers": {"cna": {"affected": [{"product": "curl", "vendor": "curl", "versions": [{"status": "affected", "version": "Fixed in 7.65.0"}]}], "datePublic": "2019-05-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap Overflow (CWE-122)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-20T21:15:00.000Z", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"name": "openSUSE-SU-2019:1492", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html"}, {"name": "openSUSE-SU-2019:1508", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html"}, {"name": "FEDORA-2019-697de0501f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/"}, {"name": "[oss-security] 20190911 [SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6"}, {"name": "DSA-4633", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4633"}, {"name": "20200225 [SECURITY] [DSA 4633-1] curl security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2020/Feb/36"}, {"name": "GLSA-202003-29", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-29"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190606-0004/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://curl.haxx.se/docs/CVE-2019-5436.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K55133295"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5436", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "curl", "version": {"version_data": [{"version_value": "Fixed in 7.65.0"}]}}]}, "vendor_name": "curl"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Heap Overflow (CWE-122)"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2019:1492", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html"}, {"name": "openSUSE-SU-2019:1508", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html"}, {"name": "FEDORA-2019-697de0501f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/"}, {"name": "[oss-security] 20190911 [SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6"}, {"name": "DSA-4633", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4633"}, {"name": "20200225 [SECURITY] [DSA 4633-1] curl security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Feb/36"}, {"name": "GLSA-202003-29", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-29"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "https://security.netapp.com/advisory/ntap-20190606-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190606-0004/"}, {"name": "https://curl.haxx.se/docs/CVE-2019-5436.html", "refsource": "CONFIRM", "url": "https://curl.haxx.se/docs/CVE-2019-5436.html"}, {"name": "https://support.f5.com/csp/article/K55133295", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K55133295"}, {"name": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&utm_medium=RSS", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&utm_medium=RSS"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:53.472Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2019:1492", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html"}, {"name": "openSUSE-SU-2019:1508", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html"}, {"name": "FEDORA-2019-697de0501f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/"}, {"name": "[oss-security] 20190911 [SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6"}, {"name": "DSA-4633", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4633"}, {"name": "20200225 [SECURITY] [DSA 4633-1] curl security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2020/Feb/36"}, {"name": "GLSA-202003-29", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-29"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190606-0004/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://curl.haxx.se/docs/CVE-2019-5436.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K55133295"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T20:51:08.976664Z", "id": "CVE-2019-5436", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:51:25.334Z"}}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5436", "datePublished": "2019-05-28T18:47:32.000Z", "dateReserved": "2019-01-04T00:00:00.000Z", "dateUpdated": "2026-04-15T20:51:25.334Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "name": "openSUSE-SU-2019:1492", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", "name": "openSUSE-SU-2019:1508", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", "name": "FEDORA-2019-697de0501f", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2019/09/11/6", "name": "[oss-security] 20190911 [SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"]}, {"url": "https://www.debian.org/security/2020/dsa-4633", "name": "DSA-4633", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"]}, {"url": "https://seclists.org/bugtraq/2020/Feb/36", "name": "20200225 [SECURITY] [DSA 4633-1] curl security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202003-29", "name": "GLSA-202003-29", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20190606-0004/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://curl.haxx.se/docs/CVE-2019-5436.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://support.f5.com/csp/article/K55133295", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:53.472Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2019-5436", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T20:51:08.976664Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:50:54.319Z"}}], "cna": {"affected": [{"vendor": "curl", "product": "curl", "versions": [{"status": "affected", "version": "Fixed in 7.65.0"}]}], "datePublic": "2019-05-22T00:00:00.000Z", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "name": "openSUSE-SU-2019:1492", "tags": ["vendor-advisory", "x_refsource_SUSE"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", "name": "openSUSE-SU-2019:1508", "tags": ["vendor-advisory", "x_refsource_SUSE"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", "name": "FEDORA-2019-697de0501f", "tags": ["vendor-advisory", "x_refsource_FEDORA"]}, {"url": "http://www.openwall.com/lists/oss-security/2019/09/11/6", "name": "[oss-security] 20190911 [SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow", "tags": ["mailing-list", "x_refsource_MLIST"]}, {"url": "https://www.debian.org/security/2020/dsa-4633", "name": "DSA-4633", "tags": ["vendor-advisory", "x_refsource_DEBIAN"]}, {"url": "https://seclists.org/bugtraq/2020/Feb/36", "name": "20200225 [SECURITY] [DSA 4633-1] curl security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"]}, {"url": "https://security.gentoo.org/glsa/202003-29", "name": "GLSA-202003-29", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "tags": ["x_refsource_MISC"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["x_refsource_MISC"]}, {"url": "https://security.netapp.com/advisory/ntap-20190606-0004/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://curl.haxx.se/docs/CVE-2019-5436.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://support.f5.com/csp/article/K55133295", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap Overflow (CWE-122)"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2020-10-20T21:15:00.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "Fixed in 7.65.0"}]}, "product_name": "curl"}]}, "vendor_name": "curl"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html", "name": "openSUSE-SU-2019:1492", "refsource": "SUSE"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html", "name": "openSUSE-SU-2019:1508", "refsource": "SUSE"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/", "name": "FEDORA-2019-697de0501f", "refsource": "FEDORA"}, {"url": "http://www.openwall.com/lists/oss-security/2019/09/11/6", "name": "[oss-security] 20190911 [SECURITY ADVISORY] curl: TFTP small blocksize heap buffer overflow", "refsource": "MLIST"}, {"url": "https://www.debian.org/security/2020/dsa-4633", "name": "DSA-4633", "refsource": "DEBIAN"}, {"url": "https://seclists.org/bugtraq/2020/Feb/36", "name": "20200225 [SECURITY] [DSA 4633-1] curl security update", "refsource": "BUGTRAQ"}, {"url": "https://security.gentoo.org/glsa/202003-29", "name": "GLSA-202003-29", "refsource": "GENTOO"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC"}, {"url": "https://security.netapp.com/advisory/ntap-20190606-0004/", "name": "https://security.netapp.com/advisory/ntap-20190606-0004/", "refsource": "CONFIRM"}, {"url": "https://curl.haxx.se/docs/CVE-2019-5436.html", "name": "https://curl.haxx.se/docs/CVE-2019-5436.html", "refsource": "CONFIRM"}, {"url": "https://support.f5.com/csp/article/K55133295", "name": "https://support.f5.com/csp/article/K55133295", "refsource": "CONFIRM"}, {"url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&utm_medium=RSS", "name": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&utm_medium=RSS", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Heap Overflow (CWE-122)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-5436", "STATE": "PUBLIC", "ASSIGNER": "support@hackerone.com"}}}}, "cveMetadata": {"cveId": "CVE-2019-5436", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:51:25.334Z", "dateReserved": "2019-01-04T00:00:00.000Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2019-05-28T18:47:32.000Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*", "matchCriteriaId": "18D5BEE8-2C04-4882-9C6D-754C0373E924", "versionEndIncluding": "7.64.1", "versionStartIncluding": "7.19.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:traffix_signaling_delivery_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E52F91D-3F39-4D89-8069-EC422FB1F700", "versionEndIncluding": "5.1.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "37209C6F-EF99-4D21-9608-B3A06D283D24", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9963770-142A-4D06-9D50-E137795A96DA", "versionEndIncluding": "5.7.27", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "706073CA-6C46-4480-9C4B-4DB9B1B9F4EB", "versionEndIncluding": "8.0.17", "versionStartIncluding": "5.7.28", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:oss_support_tools:20.0:*:*:*:*:*:*:*", "matchCriteriaId": "8252A7F5-2FB5-4E73-864D-D11F21F5EC56", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1."}, {"lang": "es", "value": "Un desbordamiento de b\u00fafer en la memoria din\u00e1mica (heap) del c\u00f3digo de recepci\u00f3n TFTP, permite la ejecuci\u00f3n de c\u00f3digo arbitrario o una Denegaci\u00f3n de Servicio (DoS) en las versiones de libcurl 7.19.4 hasta 7.64.1."}], "id": "CVE-2019-5436", "lastModified": "2026-04-15T21:17:01.457", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2019-05-28T19:29:06.127", "references": [{"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://curl.haxx.se/docs/CVE-2019-5436.html"}, {"source": "support@hackerone.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2020/Feb/36"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-29"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190606-0004/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://support.f5.com/csp/article/K55133295"}, {"source": "support@hackerone.com", "url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4633"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"source": "support@hackerone.com", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/09/11/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://curl.haxx.se/docs/CVE-2019-5436.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2020/Feb/36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190606-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://support.f5.com/csp/article/K55133295"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.f5.com/csp/article/K55133295?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4633"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges l00p3r as the original reporter.", "affected_release": [{"advisory": "RHSA-2019:1543", "cpe": "cpe:/a:redhat:jboss_core_services:1", "product_name": "JBoss Core Services Apache HTTP Server 2.4.29 SP2", "release_date": "2019-06-18T00:00:00Z"}, {"advisory": "RHBA-2020:1539", "cpe": "cpe:/a:redhat:ansible_tower:3.5::el7", "package": "ansible-tower-35/ansible-tower:3.5.6-1", "product_name": "Red Hat Ansible Tower 3.5 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHBA-2020:1540", "cpe": "cpe:/a:redhat:ansible_tower:3.6::el7", "package": "ansible-tower-36/ansible-tower:3.6.4-1", "product_name": "Red Hat Ansible Tower 3.6 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1020", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "curl-0:7.29.0-57.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-03-31T00:00:00Z"}, {"advisory": "RHSA-2020:2505", "cpe": "cpe:/o:redhat:rhel_eus:7.7", "package": "curl-0:7.29.0-54.el7_7.3", "product_name": "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date": "2020-06-12T00:00:00Z"}, {"advisory": "RHSA-2020:1792", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "curl-0:7.61.1-12.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}], "bugzilla": {"description": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function", "id": "1710620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1710620"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-122", "details": ["A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1."], "name": "CVE-2019-5436", "package_state": [{"cpe": "cpe:/a:redhat:rhel_dotnet:1.0", "fix_state": "Not affected", "package_name": "rh-dotnetcore10-curl", "product_name": ".NET Core 1.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:rhel_dotnet:1.1", "fix_state": "Not affected", "package_name": "rh-dotnetcore11-curl", "product_name": ".NET Core 1.1 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:rhel_dotnet:2.1", "fix_state": "Not affected", "package_name": "rh-dotnet21-curl", "product_name": ".NET Core 2.1 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:rhel_dotnet:2.2", "fix_state": "Not affected", "package_name": "rh-dotnet22-curl", "product_name": ".NET Core 2.2 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "curl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "curl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "curl", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Fix deferred", "package_name": "httpd24-curl", "product_name": "Red Hat Software Collections"}], "public_date": "2019-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-5436\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-5436\nhttps://curl.haxx.se/docs/CVE-2019-5436.html"], "statement": "This flaw exists if the user selects to use a \"blksize\" of 504 or smaller (default is 512). The smaller size that is used, the larger the possible overflow becomes.\nUsers choosing a smaller size than default should be rare as the primary use case for changing the size is to make it larger. It is rare for users to use TFTP across the Internet. It is most commonly used within local networks.", "threat_severity": "Low"}