CVE-2016-8623 — Use After Free in Curl

CWE-416 — Use After Free12 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 25.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl THE Curl Project Curl

Timeline

PublishedAug 1

Latest updateMay 13

Description

A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDhaxx/curl< 7.51.0

▶Debianhaxx/curl< 7.51.0-1+3

▶CVEListV5the_curl_project/curl7.51.0

Patches

Patch: www.oracle.com ↗Patch: bugzilla.redhat.com ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-jfjh-88vc-36cr: A flaw was found in curl before version 7↗2022-05-13

▶

CVEList

CVE-2016-8623: A flaw was found in curl before version 7↗2018-08-01

▶

OSV

CVE-2016-8623: A flaw was found in curl before version 7↗2018-08-01

▶

📋Vendor Advisories

Apple

CVE-2016-8623: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13

▶

Ubuntu

curl vulnerabilities↗2016-11-03

▶

Red Hat

curl: Use-after-free via shared cookies↗2016-11-02

▶

Debian

CVE-2016-8623: curl - A flaw was found in curl before version 7.51.0. The way curl handles cookies per...↗2016

▶

💬Community

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]↗2016-11-02

▶

Bugzilla

▶

Bugzilla

CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]↗2016-11-02

▶

Bugzilla

CVE-2016-8623 curl: Use-after-free via shared cookies↗2016-10-25

▶