Skip to main content

Curl

117 CVEs product

Monthly

CVE-2018-1000120 NuGet CRITICAL PATCH Act Now

A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Denial Of Service Buffer Overflow Debian Linux Ubuntu Linux +7
NVD
CVSS 3.0
9.8
EPSS
12.1%
CVE-2018-1000007 CRITICAL PATCH Act Now

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Curl Debian Linux Ubuntu Linux Enterprise Linux Desktop +10
NVD
CVSS 3.1
9.8
EPSS
8.0%
CVE-2017-8818 CRITICAL PATCH Act Now

curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Curl Libcurl
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2017-9502 MEDIUM This Month

In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Curl
NVD
CVSS 3.0
5.3
EPSS
0.6%
CVE-2016-4802 HIGH This Week

Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Privilege Escalation Curl
NVD
CVSS 3.0
7.8
EPSS
0.6%
CVE-2016-3739 MEDIUM This Month

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Curl
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2016-0755 HIGH This Week

The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Curl Ubuntu Linux Debian Linux
NVD
CVSS 3.0
7.3
EPSS
0.4%
CVE-2016-0754 MEDIUM This Month

cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Curl
NVD
CVSS 3.0
5.3
EPSS
0.4%
CVE-2015-3237 MEDIUM PATCH This Month

The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Buffer Overflow Curl Libcurl System Management Homepage +2
NVD
CVSS 2.0
6.4
EPSS
5.1%
CVE-2015-3236 MEDIUM PATCH This Month

cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Curl Libcurl
NVD
CVSS 2.0
5.0
EPSS
4.5%
CVE-2015-3153 MEDIUM PATCH This Month

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Enterprise Manager Ops Center Curl Libcurl Ubuntu Linux +2
NVD
CVSS 2.0
5.0
EPSS
9.8%
CVE-2015-3148 MEDIUM This Month

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Fedora Ubuntu Linux Debian Linux Mac Os X +4
NVD
CVSS 2.0
5.0
EPSS
1.7%
CVE-2015-3145 HIGH Act Now

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 63.7% and no vendor patch available.

Denial Of Service Buffer Overflow Fedora Ubuntu Linux Debian Linux +6
NVD
CVSS 2.0
7.5
EPSS
63.7%
CVE-2015-3144 CRITICAL Act Now

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Mysql Enterprise Monitor Curl Libcurl +2
NVD
CVSS 2.0
9.0
EPSS
1.0%
CVE-2015-3143 MEDIUM This Month

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Curl Ubuntu Linux Debian Linux Libcurl +2
NVD
CVSS 2.0
5.0
EPSS
3.5%
CVE-2014-3620 MEDIUM PATCH This Month

cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Curl Libcurl Mac Os X
NVD
CVSS 2.0
5.0
EPSS
1.3%
CVE-2014-3613 MEDIUM PATCH This Month

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Curl Libcurl Mac Os X
NVD
CVSS 2.0
5.0
EPSS
1.8%
CVE-2014-2522 MEDIUM PATCH This Month

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable.

Information Disclosure Microsoft Curl Libcurl
NVD VulDB
CVSS 2.0
4.0
EPSS
0.3%
CVE-2014-0139 MEDIUM This Month

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate,. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure OpenSSL Curl Libcurl
NVD VulDB
CVSS 2.0
5.8
EPSS
1.2%
CVE-2014-0138 MEDIUM This Month

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Curl Libcurl Debian Linux
NVD VulDB
CVSS 2.0
6.4
EPSS
0.7%
CVE-2014-0015 MEDIUM PATCH This Month

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Libcurl Curl
NVD
CVSS 2.0
4.0
EPSS
1.4%
CVE-2013-4545 MEDIUM This Month

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

OpenSSL Information Disclosure Curl Libcurl
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2013-2174 MEDIUM POC PATCH This Month

Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Buffer Overflow Denial Of Service RCE Curl Libcurl +3
NVD GitHub
CVSS 2.0
6.8
EPSS
3.2%
CVE-2013-1944 MEDIUM This Month

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Curl Libcurl Ubuntu Linux
NVD GitHub
CVSS 2.0
5.0
EPSS
2.5%
CVE-2013-2617 Ruby HIGH This Week

lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Curl
NVD
CVSS 2.0
7.5
EPSS
1.4%
CVE-2013-0249 HIGH POC THREAT Act Now

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 44.2%.

Buffer Overflow Denial Of Service RCE Curl Libcurl +1
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
44.2%
Threat
4.3
CVE-2012-0036 HIGH PATCH Act Now

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.3%.

SQLi Curl Libcurl
NVD GitHub
CVSS 2.0
7.5
EPSS
10.3%
EPSS 12% CVSS 9.8
CRITICAL PATCH Act Now

A buffer overflow exists in curl 7.12.3 to and including curl 7.58.0 in the FTP URL handling that allows an attacker to cause a denial of service or worse. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.

Memory Corruption Denial Of Service Buffer Overflow +9
NVD
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

libcurl 7.1 through 7.57.0 might accidentally leak authentication data to third parties. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Curl Debian Linux +12
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access and application crash) or possibly have unspecified other impact because too. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Curl +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Curl
NVD
EPSS 1% CVSS 7.8
HIGH This Week

Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Privilege Escalation Curl
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Curl
NVD
EPSS 0% CVSS 7.3
HIGH This Week

The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Curl Ubuntu Linux +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

cURL before 7.47.0 on Windows allows attackers to write to arbitrary files in the current working directory on a different drive via a colon in a remote file name. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Curl
NVD
EPSS 5% CVSS 6.4
MEDIUM PATCH This Month

The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Buffer Overflow Curl +4
NVD
EPSS 5% CVSS 5.0
MEDIUM PATCH This Month

cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Curl Libcurl
NVD
EPSS 10% CVSS 5.0
MEDIUM PATCH This Month

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Enterprise Manager Ops Center Curl +4
NVD
EPSS 2% CVSS 5.0
MEDIUM This Month

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Fedora Ubuntu Linux +6
NVD
EPSS 64% CVSS 7.5
HIGH Act Now

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 63.7% and no vendor patch available.

Denial Of Service Buffer Overflow Fedora +8
NVD
EPSS 1% CVSS 9.0
CRITICAL Act Now

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Mysql Enterprise Monitor +4
NVD
EPSS 3% CVSS 5.0
MEDIUM This Month

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Curl Ubuntu Linux +4
NVD
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Curl Libcurl +1
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Curl Libcurl +1
NVD
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable.

Information Disclosure Microsoft Curl +1
NVD VulDB
EPSS 1% CVSS 5.8
MEDIUM This Month

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate,. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure OpenSSL Curl +1
NVD VulDB
EPSS 1% CVSS 6.4
MEDIUM This Month

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Curl Libcurl +1
NVD VulDB
EPSS 1% CVSS 4.0
MEDIUM PATCH This Month

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Libcurl Curl
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

OpenSSL Information Disclosure Curl +1
NVD
EPSS 3% CVSS 6.8
MEDIUM POC PATCH This Month

Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

Buffer Overflow Denial Of Service RCE +5
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM This Month

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Curl Libcurl +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Curl
NVD
EPSS 44% 4.3 CVSS 7.5
HIGH POC THREAT Act Now

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 44.2%.

Buffer Overflow Denial Of Service RCE +3
NVD Exploit-DB
EPSS 10% CVSS 7.5
HIGH PATCH Act Now

curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 10.3%.

SQLi Curl Libcurl
NVD GitHub
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy