PT-2016-7526 · Curl+3 · Curl+3
Luật Nguyễn
·
Published
2016-11-02
·
Updated
2026-05-18
·
CVE-2016-8620
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
curl versions prior to 7.51.0
Description
The 'globbing' feature in curl has a flaw that leads to integer overflow and out-of-bounds read via user-controlled input. This issue allows a user to specify a numerical range that can cause curl to write outside the dedicated heap allocated buffer or read outside the given buffer. The flaw exists only in the curl tool, not in the libcurl library.
Recommendations
For versions prior to 7.51.0, update to version 7.51.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the 'globbing' feature in curl until a patch is available. Restrict access to the 'globbing' functionality to minimize the risk of exploitation. Avoid using numerical ranges with a leading minus character, such as
[1--1], and ensure that the ending letter is specified when using letter ranges, such as [L-Z].Fix
Out of bounds Read
Buffer Overflow
Heap Based Buffer Overflow
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Suse
Ubuntu
Curl