CVE-2009-0037
CVSS 6.8 - MEDIUM
Description
The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.
Affected Products
50 of 80| Vendor | Product | Version |
|---|---|---|
| curl | curl |
5.11
|
| curl | curl |
6.0
|
| curl | curl |
6.1beta
|
| curl | curl |
6.2
|
| curl | curl |
6.3
|
| curl | curl |
6.3.1
|
| curl | curl |
6.4
|
| curl | curl |
6.5
|
| curl | curl |
6.5.1
|
| curl | curl |
6.5.2
|
| curl | curl |
7.1
|
| curl | curl |
7.1.1
|
| curl | curl |
7.2
|
| curl | curl |
7.2.1
|
| curl | curl |
7.3
|
| curl | curl |
7.4
|
| curl | curl |
7.4.1
|
| curl | curl |
7.4.2
|
| curl | curl |
7.5
|
| curl | curl |
7.5.1
|
| curl | curl |
7.5.2
|
| curl | curl |
7.6
|
| curl | curl |
7.6.1
|
| curl | curl |
7.7
|
| curl | curl |
7.7.1
|
| curl | curl |
7.7.2
|
| curl | curl |
7.7.3
|
| curl | curl |
7.8
|
| curl | curl |
7.8.1
|
| curl | curl |
7.8.2
|
| curl | curl |
7.9
|
| curl | curl |
7.9.1
|
| curl | curl |
7.9.2
|
| curl | curl |
7.9.3
|
| curl | curl |
7.9.4
|
| curl | curl |
7.9.5
|
| curl | curl |
7.9.6
|
| curl | curl |
7.9.7
|
| curl | curl |
7.9.8
|
| curl | curl |
7.10
|
| curl | curl |
7.10.1
|
| curl | curl |
7.10.2
|
| curl | curl |
7.10.3
|
| curl | curl |
7.10.4
|
| curl | curl |
7.10.5
|
| curl | curl |
7.10.6
|
| curl | curl |
7.10.7
|
| curl | curl |
7.10.8
|
| curl | curl |
7.11.1
|
| curl | curl |
7.12
|
Showing first 50 of 80 affected products.
References
Weakness Types
CWE-352
CVE Information
- CVE ID:
CVE-2009-0037- Published:
- 2009-03-05
- Modified:
- 2026-04-23
- CVSS Score:
- 6.8
- Severity:
- MEDIUM
- Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
Affected Vendors
curl
Quick Actions
CVSS Severity Scale
0.0 - 3.9
LOW
4.0 - 6.9
MEDIUM
7.0 - 8.9
HIGH
9.0 - 10.0
CRITICAL