Description

A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.

Remediation

References

CVE-2019-5443

Related Vulnerabilities

MySQL CVE-2017-3650 Vulnerability (CVE-2017-3650)

WordPress Plugin AccessPress Social Icons Multiple SQL Injection Vulnerabilities (1.6.6)

WordPress Plugin Slimstat Analytics SQL Injection (4.9.3.2)

Dot CMS Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2016-8904)

PrestaShop Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-5269)

Severity

High

Classification

CVE-2019-5443 CWE-427 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities