CVE-2016-8625
published 2018-08-01CVE-2016-8625: curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue…
PriorityP340high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
4.32%
89.9th percentile
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_sierra_10.12.2_security_update_2016-003_el_capitan_and_security_update_201 | — | — |
| debian | curl | < curl 7.51.0-1 (bookworm) | curl 7.51.0-1 (bookworm) |
| haxx | curl | < 7.51.0 | 7.51.0 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| haxx | curl | >= 0 < 7.51.0-1 | 7.51.0-1 |
| the_curl_project | curl | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-33h3-8669-hjwx: curl before version 7
ghsa_unreviewed·2022-05-13
CVE-2016-8625 [HIGH] CWE-20 GHSA-33h3-8669-hjwx: curl before version 7
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
OSV
CVE-2016-8625: curl before version 7
osv·2018-08-01·CVSS 7.5
CVE-2016-8625 [HIGH] CVE-2016-8625: curl before version 7
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
Apple
CVE-2016-8625: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
vendor_apple·2016-12-13·CVSS 5.3
CVE-2016-8625 [MEDIUM] CVE-2016-8625: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite
CVE: CVE-2016-8625
Component: CVE-2016-8625
Red Hat
curl: IDNA 2003 makes curl use wrong host
vendor_redhat·2016-11-02·CVSS 5.3
CVE-2016-8625 [MEDIUM] CWE-20 curl: IDNA 2003 makes curl use wrong host
curl: IDNA 2003 makes curl use wrong host
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Affected
Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Affected
Package: rh-dotnet20-curl (.NET Core 2.0 on Red Hat Enterprise Linux) - Affected
Package: rh-dotnet21-curl (.NET Core 2.1 on Red Hat Enterprise Linux) - Will not fix
Package: curl (Red Hat Enterprise Linux 5) - Will not fix
Package: curl (Red Hat Enterprise Linux 6) - Will not fix
Package: curl (Red Hat Enterprise Linux 7) - Will not fix
Package: mingw-virt-viewer (Red Hat
Debian
CVE-2016-8625: curl - curl before version 7.51.0 uses outdated IDNA 2003 standard to handle Internatio...
vendor_debian·2016·CVSS 5.3
CVE-2016-8625 [MEDIUM] CVE-2016-8625: curl - curl before version 7.51.0 uses outdated IDNA 2003 standard to handle Internatio...
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
Scope: local
bookworm: resolved (fixed in 7.51.0-1)
bullseye: resolved (fixed in 7.51.0-1)
forky: resolved (fixed in 7.51.0-1)
sid: resolved (fixed in 7.51.0-1)
trixie: resolved (fixed in 7.51.0-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being
Bugzilla
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
bugzilla·2016-11-02·CVSS 5.3
CVE-2016-8615 [MEDIUM] CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM cha
Bugzilla
CVE-2016-8625 curl: IDNA 2003 makes curl use wrong host
bugzilla·2016-10-25·CVSS 5.3
CVE-2016-8625 [MEDIUM] CVE-2016-8625 curl: IDNA 2003 makes curl use wrong host
CVE-2016-8625 curl: IDNA 2003 makes curl use wrong host
When curl is built with libidn to handle International Domain Names (IDNA), it
translates them to puny code for DNS resolving using the IDNA 2003 standard,
while IDNA 2008 is the modern and up-to-date IDNA standard.
This misalignment causes problems with for example domains using the German ß
character (known as the Unicode Character 'LATIN SMALL LETTER SHARP S') which
is used at times in the .de TLD and is translated differently in the two IDNA
standards, leading to users potentially and unknowingly issuing network
transfer requests to the wrong host.
For example, `straße.de` is translated into `strasse.de` using IDNA 2003 but
is translated into `xn--strae-oqa.de` using IDNA 2008. Needless to say, those
host names could very well
http://www.securityfocus.com/bid/94107http://www.securitytracker.com/id/1037192https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625https://curl.haxx.se/CVE-2016-8625.patchhttps://curl.haxx.se/docs/adv_20161102K.htmlhttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://security.gentoo.org/glsa/201701-47https://www.tenable.com/security/tns-2016-21http://www.securityfocus.com/bid/94107http://www.securitytracker.com/id/1037192https://access.redhat.com/errata/RHSA-2018:2486https://access.redhat.com/errata/RHSA-2018:3558https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625https://curl.haxx.se/CVE-2016-8625.patchhttps://curl.haxx.se/docs/adv_20161102K.htmlhttps://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://security.gentoo.org/glsa/201701-47https://www.tenable.com/security/tns-2016-21
2018-08-01
Published