{
  "threat_severity" : "Moderate",
  "public_date" : "2016-11-02T00:00:00Z",
  "bugzilla" : {
    "description" : "curl: IDNA 2003 makes curl use wrong host",
    "id" : "1388392",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1388392"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "httpd24-curl-0:7.61.1-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "httpd24-httpd-0:2.4.34-7.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "httpd24-nghttp2-0:1.7.1-7.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-curl-0:7.61.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-nghttp2-0:1.7.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-curl-0:7.61.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-nghttp2-0:1.7.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-curl-0:7.61.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-nghttp2-0:1.7.1-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-curl-0:7.61.1-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS",
    "release_date" : "2018-11-13T00:00:00Z",
    "advisory" : "RHSA-2018:3558",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-nghttp2-0:1.7.1-7.el7"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2018-08-16T00:00:00Z",
    "advisory" : "RHSA-2018:2486",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-curl"
  } ],
  "package_state" : [ {
    "product_name" : ".NET Core 1.0 on Red Hat Enterprise Linux",
    "fix_state" : "Affected",
    "package_name" : "rh-dotnetcore10-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:1.0"
  }, {
    "product_name" : ".NET Core 1.1 on Red Hat Enterprise Linux",
    "fix_state" : "Affected",
    "package_name" : "rh-dotnetcore11-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:1.1"
  }, {
    "product_name" : ".NET Core 2.0 on Red Hat Enterprise Linux",
    "fix_state" : "Affected",
    "package_name" : "rh-dotnet20-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:2.0"
  }, {
    "product_name" : ".NET Core 2.1 on Red Hat Enterprise Linux",
    "fix_state" : "Will not fix",
    "package_name" : "rh-dotnet21-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:2.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Will not fix",
    "package_name" : "mingw-virt-viewer",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 3",
    "fix_state" : "Fix deferred",
    "package_name" : "curl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-8625\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8625\nhttps://curl.haxx.se/docs/adv_20161102K.html" ],
  "name" : "CVE-2016-8625",
  "csaw" : false
}