CVE-2016-8615

Description

A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

CVSS Metrics

• v3.0•MEDIUM•Score: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 4.29%• Percentile: 89%

Techniques & Countermeasures

• CWE-254•7PK - Security Features

  Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.

• CWE-99•Improper Control of Resource Identifiers ('Resource Injection')

  The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

Affected Systems

• haxx•curl

  < 7.51.0

• the curl project•curl

  7.51.0

References (12)

• https://access.redhat.com/errata/RHSA-2018:3558
• http://www.securityfocus.com/bid/94096
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8615
• https://curl.haxx.se/CVE-2016-8615.patch
• https://curl.haxx.se/docs/adv_20161102A.html
• https://www.tenable.com/security/tns-2016-21
• http://www.securitytracker.com/id/1037192
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• https://access.redhat.com/errata/RHSA-2018:2486
• https://security.gentoo.org/glsa/201701-47
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E