CVE-2016-8622
published 2018-07-31CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a…
PriorityP343critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.88%
83.6th percentile
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
| debian | curl | < curl 7.51.0-1 (bookworm) | curl 7.51.0-1 (bookworm) |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.10 | 7.35.0-1ubuntu2.10 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.2 | 7.47.0-1ubuntu2.2 |
| haxx | libcurl | < 7.51.0 | 7.51.0 |
| the_curl_project | curl | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu7.5HIGH
vendor_debian3.7LOW
vendor_redhat3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2016-8622: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 3.7
CVE-2016-8622 [LOW] CVE-2016-8622: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-8622
Component: CVE-2016-8622
Ubuntu
curl vulnerabilities
vendor_ubuntu·2016-11-03·CVSS 7.5
CVE-2016-7141 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly reused client certificates when
built with NSS. A remote attacker could possibly use this issue to hijack
the authentication of a TLS connection. (CVE-2016-7141)
Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain
strings. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7167)
It was discovered that curl incorrectly handled storing cookies. A remote
attacker could possibly use this issue to inject cookies for arbitrary
domains in the cookie jar. (CVE-2016-8615)
It was discovered that curl incorrect handled case when comparing user
names and pa
Red Hat
curl: URL unescape heap overflow via integer truncation
vendor_redhat·2016-11-02·CVSS 3.7
CVE-2016-8622 [LOW] CWE-190 curl: URL unescape heap overflow via integer truncation
curl: URL unescape heap overflow via integer truncation
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnet20-curl (.NET Core 2.0 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnet
Debian
CVE-2016-8622: curl - The URL percent-encoding decode function in libcurl before 7.51.0 is called `cur...
vendor_debian·2016·CVSS 3.7
CVE-2016-8622 [LOW] CVE-2016-8622: curl - The URL percent-encoding decode function in libcurl before 7.51.0 is called `cur...
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Scope: local
bookworm: resolved (fixed in 7.51.0-1)
bullseye: resolved (fixed in 7.51.0-1)
forky: resolved (fixed in 7.51.0-1)
sid: resolved (fixed in 7.51.0-1)
trixie: resolved (fixed in 7.51.0-1)
GHSA
GHSA-xfmx-53v5-938g: The URL percent-encoding decode function in libcurl before 7
ghsa_unreviewed·2022-05-14
CVE-2016-8622 [CRITICAL] CWE-787 GHSA-xfmx-53v5-938g: The URL percent-encoding decode function in libcurl before 7
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
OSV
CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7
osv·2018-07-31·CVSS 9.8
CVE-2016-8622 [CRITICAL] CVE-2016-8622: The URL percent-encoding decode function in libcurl before 7
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
OSV
curl vulnerabilities
osv·2016-11-03·CVSS 7.5
CVE-2016-7141 [HIGH] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly reused client certificates when
built with NSS. A remote attacker could possibly use this issue to hijack
the authentication of a TLS connection. (CVE-2016-7141)
Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain
strings. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7167)
It was discovered that curl incorrectly handled storing cookies. A remote
attacker could possibly use this issue to inject cookies for arbitrary
domains in the cookie jar. (CVE-2016-8615)
It was discovered that curl incorrect handled case when comparing user
names and passwords. A remote attacker with knowledge of a case-insensiti
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM cha
Bugzilla
CVE-2016-8622 curl: URL unescape heap overflow via integer truncation
bugzilla·2016-10-25·CVSS 3.7
CVE-2016-8622 [LOW] CVE-2016-8622 curl: URL unescape heap overflow via integer truncation
CVE-2016-8622 curl: URL unescape heap overflow via integer truncation
The URL percent-encoding decode function in libcurl is called
`curl_easy_unescape`. Internally, even if this function would be made to
allocate a unscape destination buffer larger than 2GB, it would return that
new length in a signed 32 bit integer variable, thus the length would get
either just truncated or both truncated and turned negative. That could then
lead to libcurl writing outside of its heap based buffer.
This can be triggered by a user on a 64bit system if the user can send in a
custom (very large) URL to a libcurl using program.
External References:
https://curl.haxx.se/docs/adv_20161102H.html
Discussion:
Created attachment 1213778
Upstream patch
---
Created curl tracking bugs for this issue:
Affect
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/94105http://www.securitytracker.com/id/1037192https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622https://curl.haxx.se/docs/adv_20161102H.htmlhttps://security.gentoo.org/glsa/201701-47https://www.tenable.com/security/tns-2016-21http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/94105http://www.securitytracker.com/id/1037192https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622https://curl.haxx.se/docs/adv_20161102H.htmlhttps://security.gentoo.org/glsa/201701-47https://www.tenable.com/security/tns-2016-21
2018-07-31
Published