PT-2016-7526 · Curl+3 · Curl+3
Luật Nguyễn
·
Publicado
2016-11-02
·
Atualizado
2026-05-18
·
CVE-2016-8620
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
curl versions prior to 7.51.0
Description
The 'globbing' feature in curl has a flaw that leads to integer overflow and out-of-bounds read via user-controlled input. This issue allows a user to specify a numerical range that can cause curl to write outside the dedicated heap allocated buffer or read outside the given buffer. The flaw exists only in the curl tool, not in the libcurl library.
Recommendations
For versions prior to 7.51.0, update to version 7.51.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the 'globbing' feature in curl until a patch is available. Restrict access to the 'globbing' functionality to minimize the risk of exploitation. Avoid using numerical ranges with a leading minus character, such as
[1--1], and ensure that the ending letter is specified when using letter ranges, such as [L-Z].Correção
Out of bounds Read
Buffer Overflow
Heap Based Buffer Overflow
Integer Overflow
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Suse
Ubuntu
Curl