Vulnerability Details : CVE-2016-8622
The URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.
Vulnerability category: OverflowMemory Corruption
Products affected by CVE-2016-8622
- cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-8622
1.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8622
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
2.6
|
LOW | AV:N/AC:H/Au:N/C:N/I:P/A:N |
4.9
|
2.9
|
Red Hat, Inc. | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
3.7
|
LOW | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
2.2
|
1.4
|
Red Hat, Inc. |
CWE ids for CVE-2016-8622
-
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Assigned by: secalert@redhat.com (Secondary)
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: secalert@redhat.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8622
-
https://security.gentoo.org/glsa/201701-47
cURL: Multiple vulnerabilities (GLSA 201701-47) — Gentoo securityThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018
-
https://www.tenable.com/security/tns-2016-21
[R2] LCE 4.8.2 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8622
1388386 – (CVE-2016-8622) CVE-2016-8622 curl: URL unescape heap overflow via integer truncationIssue Tracking;Patch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3558
RHSA-2018:3558 - Security Advisory - Red Hat Customer Portal
-
https://curl.haxx.se/docs/adv_20161102H.html
curl - URL unescape heap overflow via integer truncation - CVE-2016-8622Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/94105
cURL/libcURL CVE-2016-8622 Remote Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:2486
RHSA-2018:2486 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1037192
cURL/libcurl Multiple Bugs Let Remote Users Inject Cookies, Reuse Connections, and Execute Arbitrary Code and Let Local Users Obtain Potentially Sensitive Information and Execute Arbitrary Code - SecuThird Party Advisory;VDB Entry
Jump to