{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2016-8615",
  "aliases": [
    "CVE-2016-8615"
  ],
  "summary": "cookie injection for other servers",
  "modified": "2025-11-12T00:50:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2016-8615.json",
    "www": "https://curl.se/docs/CVE-2016-8615.html",
    "CWE": {
      "id": "CWE-187",
      "desc": "Partial Comparison"
    },
    "last_affected": "7.50.3",
    "severity": "High"
  },
  "published": "2016-11-02T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "4.9"},
             {"fixed": "7.51.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "ae1912cb0d494b48d514d937826c9fe83ec96c4d"},
             {"fixed": "cff89bc088b7884098ea0c5378bbda3d49c437bc"}
           ]
        }
      ],
      "versions": [
        "7.50.3", "7.50.2", "7.50.1", "7.50.0", "7.49.1", "7.49.0", "7.48.0", 
        "7.47.1", "7.47.0", "7.46.0", "7.45.0", "7.44.0", "7.43.0", "7.42.1", 
        "7.42.0", "7.41.0", "7.40.0", "7.39.0", "7.38.0", "7.37.1", "7.37.0", 
        "7.36.0", "7.35.0", "7.34.0", "7.33.0", "7.32.0", "7.31.0", "7.30.0", 
        "7.29.0", "7.28.1", "7.28.0", "7.27.0", "7.26.0", "7.25.0", "7.24.0", 
        "7.23.1", "7.23.0", "7.22.0", "7.21.7", "7.21.6", "7.21.5", "7.21.4", 
        "7.21.3", "7.21.2", "7.21.1", "7.21.0", "7.20.1", "7.20.0", "7.19.7", 
        "7.19.6", "7.19.5", "7.19.4", "7.19.3", "7.19.2", "7.19.1", "7.19.0", 
        "7.18.2", "7.18.1", "7.18.0", "7.17.1", "7.17.0", "7.16.4", "7.16.3", 
        "7.16.2", "7.16.1", "7.16.0", "7.15.5", "7.15.4", "7.15.3", "7.15.2", 
        "7.15.1", "7.15.0", "7.14.1", "7.14.0", "7.13.2", "7.13.1", "7.13.0", 
        "7.12.3", "7.12.2", "7.12.1", "7.12.0", "7.11.2", "7.11.1", "7.11.0", 
        "7.10.8", "7.10.7", "7.10.6", "7.10.5", "7.10.4", "7.10.3", "7.10.2", 
        "7.10.1", "7.10", "7.9.8", "7.9.7", "7.9.6", "7.9.5", "7.9.4", 
        "7.9.3", "7.9.2", "7.9.1", "7.9", "7.8.1", "7.8", "7.7.3", 
        "7.7.2", "7.7.1", "7.7", "7.6.1", "7.6", "7.5.2", "7.5.1", 
        "7.5", "7.4.2", "7.4.1", "7.4", "7.3", "7.2.1", "7.2", 
        "7.1.1", "7.1", "6.5.2", "6.5.1", "6.5", "6.4", "6.3.1", 
        "6.3", "6.2", "6.1", "6.0", "5.11", "5.10", "5.9.1", 
        "5.9", "5.8", "5.7.1", "5.7", "5.5.1", "5.5", "5.4", 
        "5.3", "5.2.1", "5.2", "5.0", "4.10", "4.9"
      ]
    }
  ],
  "credits": [
    {
      "name": "Cure53",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "If cookie state is written into a cookie jar file that is later read back and\nused for subsequent requests, a malicious HTTP server can inject new cookies\nfor arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory, which reads\nthe specified file into a fixed-size buffer in a line-by-line manner using the\n`fgets()` function. If an invocation of `fgets()` cannot read the whole line\ninto the destination buffer due to it being too small, it truncates the\noutput. This way, a long cookie (name + value) sent by a malicious server\nwould be stored in the file and subsequently that cookie could be read\npartially and crafted correctly, it could be treated as a different cookie for\nanother server."
}