CVE-2016-9594 — Improper Initialization in Curl

CWE-665 — Improper Initialization11 documents10 sources

Severity

8.1HIGHNVD

EPSS

1.1%

top 22.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl

Timeline

PublishedApr 23

Latest updateDec 29

Description

curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's internal function that returns a good 32bit random value. Having a weak or virtually non-existent random value makes the operations that use it vulnerable.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶NVDhaxx/curl< 7.52.1

▶Alpinehaxx/curl< 7.52.1-r0+21

🔴Vulnerability Details

GHSA

GHSA-qq6c-xrmh-q72x: curl before version 7↗2022-05-13

▶

OSV

CVE-2016-9594: curl before version 7↗2018-04-23

▶

CVEList

CVE-2016-9594: curl before version 7↗2018-04-23

▶

📋Vendor Advisories

Apple

CVE-2016-9594: macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite↗2017-07-19

▶

Red Hat

curl: Unitialized random↗2016-12-23

▶

Debian

CVE-2016-9594: curl - curl before version 7.52.1 is vulnerable to an uninitialized random in libcurl's...↗2016

▶

🕵️Threat Intelligence

Tenable

[R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilities↗2017-02-14

▶

Tenable

[R3] LCE 5.0.0 Fixes Multiple Third-party Library Vulnerabilities↗2017-01-31

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2016-9594 curl: Unitialized random↗2016-12-23

▶