F5 Networks BIG-IP : cURL and libcurl vulnerability (K01006862)
Medium Nessus Plugin ID 105434
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionA flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.(CVE-2016-8615)
When a cURL connection stores a cookie state and is written into a cookie jar file that is later used for the subsequent cURL requests, a malicious web server can inject new cookies into the affected cookie jar for arbitrary domains. This exploit requires access to a malicious web server that serves cookies.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K01006862.