Input validation error in curl.haxx.se cURL
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-8625 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
cURL Client/Desktop applications / Other client software |
| Vendor | curl.haxx.se |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU33014
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-8625
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
MitigationInstall update from vendor's website.
Vulnerable software versionscURL: 7.1 - 7.50.3
CPE2.3- cpe:2.3:a:curl_haxx_se:curl:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl_haxx_se:curl:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl_haxx_se:curl:7.2:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/94107
https://www.securitytracker.com/id/1037192
https://access.redhat.com/errata/RHSA-2018:2486
https://access.redhat.com/errata/RHSA-2018:3558
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625
https://curl.haxx.se/CVE-2016-8625.patch
https://curl.haxx.se/docs/adv_20161102K.html
https://security.gentoo.org/glsa/201701-47
https://www.tenable.com/security/tns-2016-21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
