Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2016-8621 |
CWE-ID | CWE-125 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
cURL Client/Desktop applications / Other client software |
Vendor | curl.haxx.se |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU33020
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8621
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.
MitigationInstall update from vendor's website.
Vulnerable software versionscURL: 7.1 - 7.50.3
External linkshttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/94101
http://www.securitytracker.com/id/1037192
http://access.redhat.com/errata/RHSA-2018:2486
http://access.redhat.com/errata/RHSA-2018:3558
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8621
http://curl.haxx.se/CVE-2016-8621.patch
http://curl.haxx.se/docs/adv_20161102G.html
http://security.gentoo.org/glsa/201701-47
http://www.tenable.com/security/tns-2016-21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.