CVE-2016-10130

CWE-284 — Improper Access Control7 documents6 sources

Severity

5.9MEDIUM

EPSS

1.1%

top 22.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libgit2 Project Libgit2

Timeline

PublishedMar 24

Latest updateMay 17

Description

The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Debianlibgit2< 0.25.1+really0.24.6-1+3

▶NVDlibgit2_project/libgit20.24.5+1

▶Debiancargo< 0.17.0-1+1

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fhf3-77x2-3mpp: The http_connect function in transports/http↗2022-05-17

▶

CVEList

CVE-2016-10130: The http_connect function in transports/http↗2017-03-24

▶

OSV

CVE-2016-10130: The http_connect function in transports/http↗2017-03-24

▶

📋Vendor Advisories

Debian

CVE-2016-10130: cargo - The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25...↗2016

▶

💬Community

Bugzilla

CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 CVE-2017-5338 CVE-2017-5339 libgit2: Two vulnerabilities fixed in libgit 0.25.1 and 0.24.6 [epel-all]↗2017-01-10

▶

Bugzilla

CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 CVE-2017-5338 CVE-2017-5339 libgit2: Two vulnerabilities fixed in libgit 0.25.1 and 0.24.6 [fedora-all]↗2017-01-10

▶