CVE-2016-8616 — DEPRECATED: Authentication Bypass Issues in Curl
Severity
5.9MEDIUMNVD
CNA3.7
EPSS
4.1%
top 11.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 1
Latest updateMay 13
Description
A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages3 packages
Patches
🔴Vulnerability Details
3📋Vendor Advisories
4💬Community
4Bugzilla▶
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]↗2016-11-02
Bugzilla▶
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]↗2016-11-02
Bugzilla▶
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]↗2016-11-02