Vulnerability CVE-2016-8624: Information

Description

curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

Severity: HIGH (7.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-8624
Published: Aug. 1, 2018
Modified: Nov. 7, 2023
Error type identifier: CWE-20

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus7.51.0-alt18.7.1-alt2ALT-PU-2016-2231-1171758Fixed
curlp107.51.0-alt18.7.1-alt2ALT-PU-2016-2231-1171758Fixed
curlp97.51.0-alt17.79.0-alt2ALT-PU-2016-2231-1171758Fixed
curlp87.52.1-alt1.M80P.17.65.0-alt1ALT-PU-2016-2480-1175378Fixed
curlc10f17.51.0-alt18.6.0-alt1ALT-PU-2016-2231-1171758Fixed
curlc9f27.51.0-alt18.6.0-alt1ALT-PU-2016-2231-1171758Fixed
curlc77.56.1-alt1.M70C.1.17.56.1-alt1.M70C.1.1ALT-PU-2018-1442-1202075Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.haxx.se/docs/adv_20161102J.html
  • Patch
  • Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624
  • Issue Tracking
  • Patch
  • Third Party Advisory
https://www.tenable.com/security/tns-2016-21
  • Third Party Advisory
GLSA-201701-47
  • Third Party Advisory
1037192
  • Third Party Advisory
  • VDB Entry
94103
  • Third Party Advisory
  • VDB Entry
RHSA-2018:2486
  • Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
    RHSA-2018:3558
      [pulsar-commits] 20200914 [GitHub] [pulsar] klwilson227 opened a new issue #8061: CVE-2017-14063
        [bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8
          [bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

              1. Configuration 1

                cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
                End excliding
                7.51.0
            VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
            Version: v24.5.1
            Back to top