CVE-2013-1762

stunnel 4.21-4.54 - Remote Code Execution via CONNECT Protocol Negotiation

Title source: llm
STIX 2.1

Description

stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow.

References (5)

Core 5
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0714.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:130
Vendor Advisory x_refsource_confirm
https://www.stunnel.org/CVE-2013-1762.html
Third Party Advisory x_refsource_confirm
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0097
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2664

Scores

EPSS 0.0293
EPSS Percentile 85.4%

Details

CWE
CWE-94
Status published
Products (34)
stunnel/stunnel 4.21
stunnel/stunnel 4.22
stunnel/stunnel 4.23
stunnel/stunnel 4.24
stunnel/stunnel 4.25
stunnel/stunnel 4.26
stunnel/stunnel 4.27
stunnel/stunnel 4.28
stunnel/stunnel 4.29
stunnel/stunnel 4.30
... and 24 more
Published Mar 08, 2013
Tracked Since Feb 18, 2026