CVE-2016-8624

NameCVE-2016-8624
Descriptioncurl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-711-1, DSA-3705-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)stretch7.52.1-5+deb9u10fixed
stretch (security)7.52.1-5+deb9u16fixed
buster, buster (security)7.64.0-4+deb10u2fixed
bookworm, sid, bullseye7.74.0-1.3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcewheezy7.26.0-1+wheezy17DLA-711-1
curlsourcejessie7.38.0-4+deb8u5DSA-3705-1
curlsource(unstable)7.51.0-1

Notes

https://github.com/curl/curl/commit/3bb273db7e40ebc284cff45f3ce3f0475c8339c2
https://curl.haxx.se/docs/adv_20161102J.html
https://curl.haxx.se/CVE-2016-8624.patch

Search for package or bug name: Reporting problems