CVE-2016-8615

EPSS 1.65%
Veröffentlicht 01.08.2018 06:29:00
Zuletzt bearbeitet 21.11.2024 02:59:40
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 15

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Haxx ≫ Curl Version < 7.51.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.65%	0.815

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N
secalert@redhat.com	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-99 Improper Control of Resource Identifiers ('Resource Injection')

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://security.gentoo.org/glsa/201701-47

Third Party Advisory

https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E

https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

https://access.redhat.com/errata/RHSA-2018:2486

Third Party Advisory

https://www.tenable.com/security/tns-2016-21

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3558

http://www.securitytracker.com/id/1037192

Third Party Advisory