CVE-2016-8621

Vulnerability

The curl_getdate function in curl versions prior to 7.51.0 contains an out-of-bounds read vulnerability. The parser uses sscanf() with format strings %02d:%02d and %02d:%02d:%02d to parse HH:MM or HH:MM:SS time components. If the input ends with a single digit (e.g., a truncated minute or second), the parser advances its read pointer one byte too far, reading beyond the allocated buffer [4]. This function is used internally for parsing HTTP cookies (possibly from remote servers) and for conditional HTTP requests [4].

Exploitation

An attacker can trigger the vulnerability by supplying a crafted date string that is one digit short of the expected two-digit minute or second field. No authentication is required if the attacker can control the input to curl_getdate, for example by sending a malicious HTTP response with a malformed Date header or a cookie with an invalid expiry time. The vulnerable code path is reached when curl parses the date string; the out-of-bounds read occurs during the sscanf() call [4].

Impact

Successful exploitation allows an attacker to cause an out-of-bounds read, which may lead to information disclosure of heap memory. In extreme cases, this could be combined with other bugs to cause a crash or leak sensitive data [4]. The read is limited to adjacent memory and does not typically result in code execution, but it violates memory safety and can disclose unintended data.

Mitigation

The vulnerability was fixed in curl version 7.51.0, released on 2016-11-02 [4]. Upstream advisory at https://curl.haxx.se/docs/adv_20161102G.html [4]. Users should upgrade to curl 7.51.0 or later. Red Hat addressed this issue in httpd24-curl 7.61.1 (RHSA-2018:3558) [1] and in JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2018:2486) [2]. Tenable LCE 4.8.2 also includes the fix [3]. No workaround is available; upgrading is required.