QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2016-8624

Back to search

CVE-2016-8624

Published: Jul 31, 2018

Modified: Apr 16, 2026

PUBLISHED

CVSS v3.0

5.3

MEDIUM

Description

curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.

VendorProductVersions

The Curl Project

curl

affected
7.51.0

Weaknesses (CWE)

CWE-20

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

RHSA-2018:3558
vendor-advisory
x_refsource_REDHAT
1037192
vdb-entry
x_refsource_SECTRACK
RHSA-2018:2486
vendor-advisory
x_refsource_REDHAT
GLSA-201701-47
vendor-advisory
x_refsource_GENTOO
94103
vdb-entry
x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now