{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel7els/vex/2016/cve-2016-8616-els_os-rhel7els.json" } ], "tracking": { "current_release_date": "2026-06-13T02:55:42Z", "generator": { "date": "2026-06-13T02:55:42Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2016-8616-ELS_OS-RHEL7ELS", "initial_release_date": "2016-01-01T00:00:00Z", "revision_history": [ { "date": "2016-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-13T02:55:42Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2016-8616" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 7", "product": { "name": "Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7", "product_identification_helper": { "cpe": "cpe:2.3:o:redhat:enterprise_linux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/curl@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl@7.29.0-59.0.3.el7_9.2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "product_identification_helper": { "purl": "pkg:rpm/redhat/libcurl-devel@7.29.0-59.0.3.el7_9.2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/curl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_id": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_id": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libcurl-devel@7.29.0-59.0.3.el7_9.2.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "relates_to_product_reference": "Red-Hat-7" }, { "category": "default_component_of", "full_product_name": { "name": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686 as a component of Red Hat Enterprise Linux 7", "product_id": "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686" }, "product_reference": "libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "relates_to_product_reference": "Red-Hat-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2016-8616", "cwe": { "id": "CWE-592", "name": "DEPRECATED: Authentication Bypass Issues" }, "notes": [ { "category": "description", "text": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2016-8616" }, { "category": "external", "summary": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/94094", "url": "http://www.securityfocus.com/bid/94094" }, { "category": "external", "summary": "http://www.securitytracker.com/id/1037192", "url": "http://www.securitytracker.com/id/1037192" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2018:2486", "url": "https://access.redhat.com/errata/RHSA-2018:2486" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2018:3558", "url": "https://access.redhat.com/errata/RHSA-2018:3558" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8616" }, { "category": "external", "summary": "https://curl.haxx.se/CVE-2016-8616.patch", "url": "https://curl.haxx.se/CVE-2016-8616.patch" }, { "category": "external", "summary": "https://curl.haxx.se/docs/adv_20161102B.html", "url": "https://curl.haxx.se/docs/adv_20161102B.html" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/201701-47", "url": "https://security.gentoo.org/glsa/201701-47" }, { "category": "external", "summary": "https://www.tenable.com/security/tns-2016-21", "url": "https://www.tenable.com/security/tns-2016-21" } ], "release_date": "2018-08-01T06:29:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-12T13:06:10.240802Z", "details": "CVE-2016-8616 only manifests on protocols with connection-scoped authentication (e.g., FTP/IMAP/SMTP) when an already-authenticated idle libcurl connection is reused, and exploitation further requires an attacker to supply a case-insensitive variant of the correct password—an inherently high‑complexity, client‑side precondition. It has no confidentiality or availability impact, limiting risk to potential integrity effects on the remote service targeted by that specific connection. In centrally managed server/VM workloads where curl/libcurl is run non‑interactively with fixed credentials and without cross‑user connection sharing, arranging such mis‑reuse is impractical, so this issue can be safely deprioritized.", "product_ids": [ "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:curl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-0:7.29.0-59.0.3.el7_9.2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.i686", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.tuxcare.els2.x86_64", "Red-Hat-7:libcurl-devel-0:7.29.0-59.0.3.el7_9.2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }