CVE-2016-8624
published 2018-07-31CVE-2016-8624: curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be…
PriorityP336high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
1.14%
78.9th percentile
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
| asynchttpclient_project | async-http-client | < 2.0.35 | 2.0.35 |
| debian | async-http-client | — | — |
| debian | curl | < curl 7.51.0-1 (bookworm) | curl 7.51.0-1 (bookworm) |
| haxx | curl | < 7.51.0 | 7.51.0 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.10 | 7.35.0-1ubuntu2.10 |
| haxx | curl | >= 0 < 7.47.0-1ubuntu2.2 | 7.47.0-1ubuntu2.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pj7-p5f2-4p6f: curl before version 7
ghsa_unreviewed·2022-05-13
CVE-2016-8624 [HIGH] CWE-20 GHSA-6pj7-p5f2-4p6f: curl before version 7
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
GHSA
Improper Input Validation in async-http-client
ghsa·2018-10-19·CVSS 7.5
CVE-2017-14063 [HIGH] CWE-20 Improper Input Validation in async-http-client
Improper Input Validation in async-http-client
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
OSV
Improper Input Validation in async-http-client
osv·2018-10-19·CVSS 7.5
CVE-2017-14063 [HIGH] Improper Input Validation in async-http-client
Improper Input Validation in async-http-client
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
OSV
CVE-2016-8624: curl before version 7
osv·2018-07-31·CVSS 7.5
CVE-2016-8624 [HIGH] CVE-2016-8624: curl before version 7
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
OSV
curl vulnerabilities
osv·2016-11-03·CVSS 7.5
CVE-2016-7141 [HIGH] curl vulnerabilities
curl vulnerabilities
It was discovered that curl incorrectly reused client certificates when
built with NSS. A remote attacker could possibly use this issue to hijack
the authentication of a TLS connection. (CVE-2016-7141)
Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain
strings. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7167)
It was discovered that curl incorrectly handled storing cookies. A remote
attacker could possibly use this issue to inject cookies for arbitrary
domains in the cookie jar. (CVE-2016-8615)
It was discovered that curl incorrect handled case when comparing user
names and passwords. A remote attacker with knowledge of a case-insensiti
Red Hat
async-http-client: Invalid URL parsing with '?'
vendor_redhat·2017-08-28·CVSS 5.3
CVE-2017-14063 [MEDIUM] async-http-client: Invalid URL parsing with '?'
async-http-client: Invalid URL parsing with '?'
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
Package: async-http-client (Red Hat JBoss Fuse 6) - Will not fix
Package: async-http-client (Red Hat JBoss Fuse Service Works 6) - Will not fix
Debian
CVE-2017-14063: async-http-client - Async Http Client (aka async-http-client) before 2.0.35 can be tricked into conn...
vendor_debian·2017·CVSS 5.3
CVE-2017-14063 [MEDIUM] CVE-2017-14063: async-http-client - Async Http Client (aka async-http-client) before 2.0.35 can be tricked into conn...
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
Scope: local
bookworm: resolved
bullseye: resolved
sid: resolved
Apple
CVE-2016-8624: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 5.3
CVE-2016-8624 [MEDIUM] CVE-2016-8624: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-8624
Component: CVE-2016-8624
Ubuntu
curl vulnerabilities
vendor_ubuntu·2016-11-03·CVSS 7.5
CVE-2016-7141 [HIGH] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
It was discovered that curl incorrectly reused client certificates when
built with NSS. A remote attacker could possibly use this issue to hijack
the authentication of a TLS connection. (CVE-2016-7141)
Nguyen Vu Hoang discovered that curl incorrectly handled escaping certain
strings. A remote attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. (CVE-2016-7167)
It was discovered that curl incorrectly handled storing cookies. A remote
attacker could possibly use this issue to inject cookies for arbitrary
domains in the cookie jar. (CVE-2016-8615)
It was discovered that curl incorrect handled case when comparing user
names and pa
Red Hat
curl: Invalid URL parsing with '#'
vendor_redhat·2016-11-02·CVSS 5.3
CVE-2016-8624 [MEDIUM] CWE-20 curl: Invalid URL parsing with '#'
curl: Invalid URL parsing with '#'
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnet20-curl (.NET Core 2.0 on Red Hat Enterprise Linux) - Out of support scope
Package: rh-dotnet21-curl (.NET Core 2.1 on Red Hat Enterprise Linux) - Will not fix
Package: curl (Red Hat Ent
Debian
CVE-2016-8624: curl - curl before version 7.51.0 doesn't parse the authority component of the URL corr...
vendor_debian·2016·CVSS 5.3
CVE-2016-8624 [MEDIUM] CVE-2016-8624: curl - curl before version 7.51.0 doesn't parse the authority component of the URL corr...
curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
Scope: local
bookworm: resolved (fixed in 7.51.0-1)
bullseye: resolved (fixed in 7.51.0-1)
forky: resolved (fixed in 7.51.0-1)
sid: resolved (fixed in 7.51.0-1)
trixie: resolved (fixed in 7.51.0-1)
No detection rules found.
No public exploits indexed.
HackerOne
cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#'
hackerone·2018-01-11·CVSS 5.3
CVE-2016-8624 [MEDIUM] cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#'
cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#'
invalid URL parsing with '#'
Project cURL Security Advisory, November 2, 2016 -
[Permalink] https://curl.haxx.se/docs/adv_20161102J.html
VULNERABILITY
curl doesn't parse the authority component of the URL correctly when the host
name part ends with a '#' character, and could instead be tricked into
connecting to a different host. This may have security implications if you for
example use a URL parser that follows the RFC to check for allowed domains
before using curl to request them.
Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send a
request to evil.com while your browser would connect to example.com given the
same URL.
The problem exists for most protocol schemes.
We are not aware of any exploit
Bugzilla
CVE-2017-14063 async-http-client: Invalid URL parsing with '?'
bugzilla·2017-09-01·CVSS 5.3
CVE-2017-14063 [MEDIUM] CVE-2017-14063 async-http-client: Invalid URL parsing with '?'
CVE-2017-14063 async-http-client: Invalid URL parsing with '?'
Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
Upstream issue:
https://github.com/AsyncHttpClient/async-http-client/issues/1455
Discussion:
Created async-http-client tracking bugs for this issue:
Affects: fedora-all [bug 1487565]
---
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2018:2669 https://access.redhat.com/errata/RHSA-2018:2669
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM cha
Bugzilla
CVE-2016-8624 curl: Invalid URL parsing with '#'
bugzilla·2016-10-25·CVSS 5.3
CVE-2016-8624 [MEDIUM] CVE-2016-8624 curl: Invalid URL parsing with '#'
CVE-2016-8624 curl: Invalid URL parsing with '#'
curl doesn't parse the authority component of the URL correctly when the host
name part ends with a '#' character, and could instead be tricked into
connecting to a different host. This may have security implications if you for
example use an URL parser that follows the RFC to check for allowed domains
before using curl to request them.
Passing in `http://example.com#@evil.com/x.txt` would wrongly make curl send a
request to evil.com while your browser would connect to example.com given the
same URL.
The problem exists for most protocol schemes.
External References:
https://curl.haxx.se/docs/adv_20161102J.html
Discussion:
Created attachment 1213819
Upstream patch
---
Created curl tracking bugs for this issue:
Affects: fedora-all [b
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/94103http://www.securitytracker.com/id/1037192https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624https://curl.haxx.se/docs/adv_20161102J.htmlhttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rfaa4d578587f52a9c4d176af516a681a712c664e3be440a4163691d5%40%3Ccommits.pulsar.apache.org%3Ehttps://security.gentoo.org/glsa/201701-47https://www.tenable.com/security/tns-2016-21http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/94103http://www.securitytracker.com/id/1037192https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624https://curl.haxx.se/docs/adv_20161102J.htmlhttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rfaa4d578587f52a9c4d176af516a681a712c664e3be440a4163691d5%40%3Ccommits.pulsar.apache.org%3Ehttps://security.gentoo.org/glsa/201701-47https://www.tenable.com/security/tns-2016-21
2018-07-31
Published