CVE-2016-8624Improper Input Validation in Curl

CWE-20Improper Input Validation16 documents11 sources
Severity
7.5HIGHNVD
GHSA5.3
EPSS
1.3%
top 19.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Haxx CurlTHE Curl Project Curl
Timeline
PublishedJul 31
Latest updateMay 13

Description

curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDhaxx/curl< 7.51.0
Debianhaxx/curl< 7.51.0-1+3
CVEListV5the_curl_project/curl7.51.0

Patches

Patch: bugzilla.redhat.comPatch: curl.haxx.sePatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-6pj7-p5f2-4p6f: curl before version 72022-05-13
GHSA
Improper Input Validation in async-http-client2018-10-19
OSV
CVE-2016-8624: curl before version 72018-07-31
CVEList
CVE-2016-8624: curl before version 72018-07-31

📋Vendor Advisories

5
Red Hat
async-http-client: Invalid URL parsing with '?'2017-08-28
Apple
CVE-2016-8624: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite2016-12-13
Ubuntu
curl vulnerabilities2016-11-03
Red Hat
curl: Invalid URL parsing with '#'2016-11-02
Debian
CVE-2016-8624: curl - curl before version 7.51.0 doesn't parse the authority component of the URL corr...2016

💬Community

6
HackerOne
cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#'2018-01-11
Bugzilla
CVE-2017-14063 async-http-client: Invalid URL parsing with '?'2017-09-01
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]2016-11-02
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]2016-11-02
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]2016-11-02
CVE-2016-8624 — Improper Input Validation in Haxx Curl | cvebase