What is CVE-2017-8817?

CVE-2017-8817 is a vulnerability in curl and libcurl before version 7.57.0 that allows remote attackers to cause a denial of service or possibly have unspecified other impact via a string ending with an '[' character.

How severe is CVE-2017-8817?

CVE-2017-8817 has a severity rating of 9.8 (Critical).

What software is affected by CVE-2017-8817?

The software affected by CVE-2017-8817 includes curl and libcurl versions prior to 7.57.0.

How can I fix CVE-2017-8817?

To fix CVE-2017-8817, update curl and libcurl to version 7.57.0 or later.

Where can I find more information about CVE-2017-8817?

You can find more information about CVE-2017-8817 in the following references: [bugzilla.redhat.com](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356600&action=diff), [bugzilla.redhat.com](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356600&action=edit), [github.com](https://github.com/curl/curl/commit/0825cd80a62c).

Vulnerability/
CVE-2017-8817

critical

9.8

CWE

125

21/11/2017

29/11/2017

5/8/2024

CVE-2017-8817

First published: Tue Nov 21 2017(Updated: )

libcurl contains a read out of bounds flaw in the FTP wildcard function. libcurl's FTP wildcard matching feature, which is enabled with the `CURLOPT_WILDCARDMATCH` option can use a built-in wildcard function or a user provided one. The built-in wildcard function has a flaw that makes it not detect the end of the pattern string if it ends with an open bracket (`[`) but instead it will continue reading the heap beyond the end of the URL buffer that holds the wildcard. For applications that use HTTP(S) URLs, allow libcurl to handle redirects and have FTP wildcards enabled, this flaw can be triggered by malicious servers that can redirect clients to a URL using such a wildcard pattern. - Affected versions: libcurl 7.21.0 to and including 7.56.1 - Not affected versions: libcurl < 7.21.0 and >= 7.57.0

Credit: security@debian.org

Affected Software	Affected Version	How to fix
redhat/curl	<7.57.0	7.57.0
Haxx Curl	>=7.21.0<=7.56.1
Haxx Libcurl	>7.21.0<=7.56.1
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0
debian/curl		7.64.0-4+deb10u2 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2017-8817?
CVE-2017-8817 is a vulnerability in curl and libcurl before version 7.57.0 that allows remote attackers to cause a denial of service or possibly have unspecified other impact via a string ending with an '[' character.
How severe is CVE-2017-8817?
CVE-2017-8817 has a severity rating of 9.8 (Critical).
What software is affected by CVE-2017-8817?
The software affected by CVE-2017-8817 includes curl and libcurl versions prior to 7.57.0.
How can I fix CVE-2017-8817?
To fix CVE-2017-8817, update curl and libcurl to version 7.57.0 or later.
Where can I find more information about CVE-2017-8817?
You can find more information about CVE-2017-8817 in the following references: [bugzilla.redhat.com](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356600&action=diff), [bugzilla.redhat.com](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1356600&action=edit), [github.com](https://github.com/curl/curl/commit/0825cd80a62c).

collector/nvd-index
collector/security-tracker-debian
agent/references
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2017-8817
agent/software-canonical-lookup
agent/weakness
agent/author
agent/severity
agent/tags
agent/description
agent/event
collector/mitre-cve
source/MITRE
vendor/haxx
canonical/haxx curl
version/haxx curl/7.21.0
version/haxx curl/7.56.1
canonical/haxx libcurl
version/haxx libcurl/7.56.1
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0
package-manager/debian
package-manager/redhat