CVE-2016-8620 — Classic Buffer Overflow in Curl

CWE-120 — Classic Buffer Overflow CWE-125 — Out-of-bounds Read CWE-190 — Integer Overflow or Wraparound12 documents9 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 25.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl THE Curl Project Curl

Timeline

PublishedAug 1

Latest updateMay 13

Description

The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to integer overflow and out-of-bounds read via user controlled input.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDhaxx/curl< 7.51.0

▶Debianhaxx/curl< 7.51.0-1+3

▶CVEListV5the_curl_project/curl7.51.0

Patches

Patch: www.oracle.com ↗Patch: bugzilla.redhat.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-rrg6-wpjx-p5jf: The 'globbing' feature in curl before version 7↗2022-05-13

▶

OSV

CVE-2016-8620: The 'globbing' feature in curl before version 7↗2018-08-01

▶

CVEList

CVE-2016-8620: The 'globbing' feature in curl before version 7↗2018-08-01

▶

📋Vendor Advisories

Apple

CVE-2016-8620: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13

▶

Ubuntu

curl vulnerabilities↗2016-11-03

▶

Red Hat

curl: Glob parser write/read out of bounds↗2016-11-02

▶

Debian

CVE-2016-8620: curl - The 'globbing' feature in curl before version 7.51.0 has a flaw that leads to in...↗2016

▶

💬Community

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]↗2016-11-02

▶

Bugzilla

▶

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]↗2016-11-02

▶

Bugzilla

CVE-2016-8620 curl: Glob parser write/read out of bounds↗2016-10-25

▶