| Description |
| + |
A read out of bounds flaw has been found in the FTP wildcard function of libcurl >= 7.21.0 and < 7.57.0. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. |
| + |
For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. |
|