CVE-2016-8617 — Out-of-bounds Write in Curl

CWE-787 — Out-of-bounds Write12 documents9 sources

Severity

7.0HIGHNVD

EPSS

0.1%

top 80.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl THE Curl Project Curl

Timeline

PublishedJul 31

Latest updateMay 13

Description

The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages3 packages

▶NVDhaxx/curl< 7.51.0

▶Debianhaxx/curl< 7.51.0-1+3

▶CVEListV5the_curl_project/curl7.51.0

Patches

Patch: bugzilla.redhat.com ↗Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-hjj8-p7vc-2hh7: The base64 encode function in curl before version 7↗2022-05-13

▶

OSV

CVE-2016-8617: The base64 encode function in curl before version 7↗2018-07-31

▶

CVEList

CVE-2016-8617: The base64 encode function in curl before version 7↗2018-07-31

▶

📋Vendor Advisories

Apple

CVE-2016-8617: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13

▶

Ubuntu

curl vulnerabilities↗2016-11-03

▶

Red Hat

curl: Out-of-bounds write via unchecked multiplication↗2016-11-02

▶

Debian

CVE-2016-8617: curl - The base64 encode function in curl before version 7.51.0 is prone to a buffer be...↗2016

▶

💬Community

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]↗2016-11-02

▶

Bugzilla

▶

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]↗2016-11-02

▶

Bugzilla

CVE-2016-8617 curl: Out-of-bounds write via unchecked multiplication↗2016-10-25

▶