VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 1, 2018· Updated Aug 6, 2024

CVE-2016-8616

CVE-2016-8616

Description

curl before 7.51.0 reuses connections with case-insensitive password comparison, allowing a remote attacker to reuse a connection if they know a case-insensitive version of the password.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

curl before 7.51.0 reuses connections with case-insensitive password comparison, allowing a remote attacker to reuse a connection if they know a case-insensitive version of the password.

Vulnerability

A flaw exists in curl versions prior to 7.51.0 where the connection reuse logic in the ConnectionExists() function compares user names and passwords in a case-insensitive manner. This behavior allows an attacker to potentially reuse an existing connection that was established with different case credentials, provided the attacker knows a case-insensitive version of the correct password. The vulnerability is specific to protocols that have connection-scoped credentials. [1][4]

Exploitation

An attacker must know a case-insensitive version of the password for an existing, unused connection. With that knowledge, the attacker can trigger connection reuse by using the case-insensitive variant during the connection attempt, bypassing the intended credential check. No direct network position requirement is specified beyond being able to initiate connections to the target service. [3][4]

Impact

Successful exploitation allows an attacker to reuse an authenticated connection that was originally established with proper credentials. This could lead to unauthorized access to services or actions performed as the legitimate user, depending on the protocol and application context. The impact is mitigated by the requirement that the attacker already knows a case-insensitive version of the password. [2][4]

Mitigation

Upgrade to curl version 7.51.0 or later, which was released on November 2, 2016, and includes proper case-sensitive password comparison in the connection reuse logic. Red Hat has addressed this issue in software collections (httpd24-curl updated to 7.61.1) and JBoss Core Services (Apache HTTP Server 2.4.29 packages). No workaround is mentioned in the references. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1][2][4]

References
  1. https://access.redhat.com/errata/RHSA-2018:3558
  2. https://access.redhat.com/errata/RHSA-2018:2486
  3. [R2] LCE 4.8.2 Fixes Multiple Third-party Library Vulnerabilities
  4. 1388371 – (CVE-2016-8616) CVE-2016-8616 curl: Case insensitive password comparison

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12

Patches

2
3c561c657c2f

THANKS: synced with 7.51.0

https://github.com/curl/curlDaniel StenbergNov 1, 2016via osv
commit
1 file changed · +23 1
  • docs/THANKS+23 1 modified
    @@ -20,6 +20,7 @@ Adriano Meirelles
 Ajit Dhumale
 Aki Koskinen
 Akos Pasztory
+Akshay Vernekar
 Alain Danteny
 Alan Pinstein
 Albert Chin-A-Young
@@ -48,6 +49,7 @@ Alexander Krasnostavsky
 Alexander Lazic
 Alexander Pepper
 Alexander Peslyak
+Alexander Sinditskiy
 Alexander Traud
 Alexander Zhuravlev
 Alexey Borzov
@@ -77,10 +79,12 @@ Andreas Ntaflos
 Andreas Olsson
 Andreas Rieke
 Andreas Schuldei
+Andreas Streichardt
 Andreas Wurf
 Andrei Benea
 Andrei Cipu
 Andrei Kurushin
+Andrei Sedoi
 Andrej E Baranov
 Andrew Benham
 Andrew Biggs
@@ -215,6 +219,7 @@ Chris Smowton
 Chris Young
 Christian Fillion
 Christian Grothoff
+Christian Heimes
 Christian Hägele
 Christian Krause
 Christian Kurz
@@ -291,6 +296,7 @@ Daniel Theron
 Daniel at touchtunes
 Darryl House
 Darshan Mody
+Darío Hereñú
 Dave Dribin
 Dave Halbakken
 Dave Hamilton
@@ -496,6 +502,7 @@ Greg Morse
 Greg Onufer
 Greg Pratt
 Greg Zavertnik
+Gregory Szorc
 Grigory Entin
 Guenole Bescon
 Guenter Knauf
@@ -817,6 +824,7 @@ Luke Call
 Luke Dashjr
 Luo Jinghua
 Luong Dinh Dung
+Luật Nguyễn
 Lyndon Hill
 Maciej Karpiuk
 Maciej Puzio
@@ -869,12 +877,13 @@ Marquis de Muesli
 Martijn Koster
 Martin C. Martin
 Martin Drasar
+Martin Frodl
 Martin Hager
 Martin Hedenfalk
 Martin Jansen
 Martin Lemke
 Martin Skinner
-Martin Storsjo
+Martin Storsjö
 Martin Vejnár
 Marty Kuhrt
 Maruko
@@ -948,6 +957,7 @@ Mike Power
 Mike Protts
 Mike Revi
 Miklos Nemeth
+Miloš Ljumović
 Miroslav Franc
 Miroslav Spousta
 Mitz Wark
@@ -1031,6 +1041,7 @@ Pau Garcia i Quiles
 Paul Donohue
 Paul Harrington
 Paul Howarth
+Paul Joyce
 Paul Marks
 Paul Marquis
 Paul Moore
@@ -1101,6 +1112,7 @@ Rafaël Carré
 Rainer Canavan
 Rainer Jung
 Rainer Koenig
+Rainer Müller
 Rajesh Naganathan
 Rajkumar Mandal
 Ralf S. Engelschall
@@ -1117,6 +1129,7 @@ Razvan Cojocaru
 Reinhard Max
 Reinout van Schouwen
 Remi Gacogne
+Remo E
 Renato Botelho
 Renaud Chaillat
 Renaud Duhaut
@@ -1145,6 +1158,7 @@ Richard Silverman
 Richard van den Berg
 Rick Jones
 Rick Richardson
+Rider Linden
 Rob Crittenden
 Rob Davies
 Rob Jones
@@ -1216,9 +1230,11 @@ Scott Cantor
 Scott Davis
 Scott McCreary
 Sean Boudreau
+Sebastian Mundry
 Sebastian Pohlschmidt
 Sebastian Rasmussen
 Senthil Raja Velu
+Sergei Kuzmin
 Sergei Nikulov
 Sergey Tatarincev
 Sergio Ballestrero
@@ -1260,6 +1276,7 @@ Stefan Tomanek
 Stefan Ulrich
 Steinar H. Gunderson
 Stephan Bergmann
+Stephen Brokenshire
 Stephen Collyer
 Stephen Kick
 Stephen More
@@ -1330,6 +1347,7 @@ Tobias Stoeckmann
 Toby Peterson
 Todd A Ouska
 Todd Kulesza
+Todd Short
 Todd Vierling
 Tom Benoist
 Tom Donovan
@@ -1357,6 +1375,7 @@ Toni Moreno
 Tony Kelman
 Toon Verwaest
 Tor Arntsen
+Torben Dannhauer
 Torsten Foertsch
 Toshio Kuratomi
 Toshiyuki Maezawa
@@ -1372,6 +1391,7 @@ Ulf Samuelsson
 Ulrich Doehner
 Ulrich Telle
 Ulrich Zadow
+Valentin David
 Venkat Akella
 Victor Snezhko
 Vijay Panghal
@@ -1439,9 +1459,11 @@ dkjjr89 on github
 eXeC64 on github
 jveazey on github
 kreshano on github
+lukaszgn on github
 marc-groundctl on github
 neex on github
 nk
+nopjmp on github
 silveja1 on github
 swalkaus at yahoo.com
 tommink[at]post.pl
b3ee26c5df75

connectionexists: use case sensitive user/password comparisons

https://github.com/curl/curlDaniel StenbergSep 27, 2016via body-scan
commit
1 file changed · +6 6
  • lib/url.c+6 6 modified
    @@ -3394,8 +3394,8 @@ ConnectionExists(struct Curl_easy *data,
       if(!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) {
         /* This protocol requires credentials per connection,
            so verify that we're using the same name and password as well */
-        if(!strequal(needle->user, check->user) ||
-           !strequal(needle->passwd, check->passwd)) {
+        if(strcmp(needle->user, check->user) ||
+           strcmp(needle->passwd, check->passwd)) {
           /* one of them was different */
           continue;
         }
@@ -3455,8 +3455,8 @@ ConnectionExists(struct Curl_easy *data,
            possible. (Especially we must not reuse the same connection if
            partway through a handshake!) */
         if(wantNTLMhttp) {
-          if(!strequal(needle->user, check->user) ||
-             !strequal(needle->passwd, check->passwd))
+          if(strcmp(needle->user, check->user) ||
+             strcmp(needle->passwd, check->passwd))
             continue;
         }
         else if(check->ntlm.state != NTLMSTATE_NONE) {
@@ -3470,8 +3470,8 @@ ConnectionExists(struct Curl_easy *data,
           if(!check->proxyuser || !check->proxypasswd)
             continue;
 
-          if(!strequal(needle->proxyuser, check->proxyuser) ||
-             !strequal(needle->proxypasswd, check->proxypasswd))
+          if(strcmp(needle->proxyuser, check->proxyuser) ||
+             strcmp(needle->proxypasswd, check->proxypasswd))
             continue;
         }
         else if(check->proxyntlm.state != NTLMSTATE_NONE) {

Vulnerability mechanics

Root cause

"Case-insensitive string comparison (strequal) of user names and passwords in connection reuse logic allows a connection with case-different credentials to be incorrectly matched."

Attack vector

An attacker who knows a case-insensitive variant of the correct password can cause curl to reuse an existing authenticated connection that was established with the proper credentials [patch_id=2247604]. The `ConnectionExists()` function previously used `strequal()` (case-insensitive comparison) for user name and password checks, so a request with a password differing only in case would match an existing connection [patch_id=2247604]. This allows the attacker to bypass authentication by reusing a connection whose credentials they do not fully know.

Affected code

The vulnerability is in the `ConnectionExists()` function in `lib/url.c` [patch_id=2247604]. The function compares user names and passwords when deciding whether to reuse an existing connection for protocols that have connection-scoped credentials (PROTOPT_CREDSPERREQUEST) and for NTLM/Proxy-NTLM authentication states.

What the fix does

The patch replaces `strequal()` (case-insensitive string comparison) with `strcmp()` (case-sensitive comparison) in three code paths within `ConnectionExists()` [patch_id=2247604]. These paths handle credential-per-connection protocols, NTLM authentication, and proxy-NTLM authentication. The change ensures that only connections with exactly matching user names and passwords are reused, preventing an attacker from reusing a connection with a case-different variant of the correct password.

Preconditions

  • inputThe attacker must know a case-insensitive variant of the correct password for the target connection
  • configAn unused connection with proper credentials must already exist in curl's connection cache
  • configThe protocol must use connection-scoped credentials (PROTOPT_CREDSPERREQUEST) or NTLM authentication

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.