CVE-2016-8616

2016-11-0200:00:00

ubuntu.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.4%

JSON

A flaw was found in curl before version 7.51.0 When re-using a connection,
curl was doing case insensitive comparisons of user name and password with
the existing connections. This means that if an unused connection with
proper credentials exists for a protocol that has connection-scoped
credentials, an attacker can cause that connection to be reused if s/he
knows the case-insensitive version of the correct password.

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchcurl< 7.22.0-3ubuntu4.17UNKNOWN
ubuntu14.04noarchcurl< 7.35.0-1ubuntu2.10UNKNOWN
ubuntu16.04noarchcurl< 7.47.0-1ubuntu2.2UNKNOWN
ubuntu16.10noarchcurl< 7.50.1-1ubuntu1.1UNKNOWN
ubuntu17.04noarchcurl< 7.50.1-1ubuntu2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	curl	< 7.22.0-3ubuntu4.17	UNKNOWN
ubuntu	14.04	noarch	curl	< 7.35.0-1ubuntu2.10	UNKNOWN
ubuntu	16.04	noarch	curl	< 7.47.0-1ubuntu2.2	UNKNOWN
ubuntu	16.10	noarch	curl	< 7.50.1-1ubuntu1.1	UNKNOWN
ubuntu	17.04	noarch	curl	< 7.50.1-1ubuntu2	UNKNOWN