CVE-2016-8624

Опубликовано: 02 нояб. 2016

Источник: redhat

CVSS3: 5.3

CVSS2: 4.3

EPSS Низкий

Описание

curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
.NET Core 1.0 on Red Hat Enterprise Linux	rh-dotnetcore10-curl	Out of support scope
.NET Core 1.1 on Red Hat Enterprise Linux	rh-dotnetcore11-curl	Out of support scope
.NET Core 2.0 on Red Hat Enterprise Linux	rh-dotnet20-curl	Out of support scope
.NET Core 2.1 on Red Hat Enterprise Linux	rh-dotnet21-curl	Will not fix
Red Hat Enterprise Linux 5	curl	Will not fix
Red Hat Enterprise Linux 6	curl	Will not fix
Red Hat Enterprise Linux 7	curl	Will not fix
Red Hat Enterprise Virtualization 3	mingw-virt-viewer	Will not fix
Red Hat JBoss Enterprise Web Server 3	curl	Fix deferred
Red Hat Software Collections for Red Hat Enterprise Linux 6	httpd24-curl	Fixed	RHSA-2018:3558	13.11.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1388390curl: Invalid URL parsing with '#'

EPSS

Процентиль: 86%

0.02902

Низкий

5.3 Medium

CVSS3

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2016-8624

CVSS3: 5.3

ubuntu

почти 7 лет назад

CVE-2016-8624

CVSS3: 5.3

nvd

почти 7 лет назад

CVE-2016-8624

CVSS3: 5.3

debian

почти 7 лет назад

curl before version 7.51.0 doesn't parse the authority component of th ...

GHSA-6pj7-p5f2-4p6f

CVSS3: 7.5

github

около 3 лет назад

openSUSE-SU-2016:2768-1

suse-cvrf

больше 8 лет назад

Security update for curl

EPSS

Процентиль: 86%

0.02902

Низкий

5.3 Medium

CVSS3

4.3 Medium

CVSS2