You are here

Curl: Vulnerabilities fixed in version 7.64.0

CVE-2019-3822, CVE-2019-3823, CVE-2018-16890
curl, ntlm, smtp

Curl released version 7.64.0 fixing three vulnerabilities [1].

No action required for Airlock WAF


  • CVE-2018-16890/CVE-2019-3822: Stack based buffer overflow and heap out-of-bounds read in the NTLM code. Airlock WAF is not affected if back-end NTLM is disabled. Even when back-end NTLM is used, the risk for Airlock WAF is negligible as a successful attack requires a compromised back-end system (or a reflected attack which would be prevented by Airlock WAF by default). Further, the curl team is not aware of any exploit of this flaw.
  • CVE-2019-3823: Heap out-of-bounds read in the SMTP code. The curl library used by Airlock WAF is compiled without SMTP support.
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required