CVE-2016-8624

MEDIUM

curl < 7.51.0 - URL Authority Parsing Flaw via Hostname Ending with '#'

Title source: llm
STIX 2.1

Description

curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

References (12)

Core 12
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3558
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8624
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2016-21
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1037192
Patch, Vendor Advisory x_refsource_misc
https://curl.haxx.se/docs/adv_20161102J.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2486
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201701-47
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/94103

Scores

CVSS v3 5.3
EPSS 0.0136
EPSS Percentile 80.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (2)
haxx/curl < 7.51.0
The Curl Project/curl 7.51.0
Published Jul 31, 2018
Tracked Since Feb 18, 2026