github - ghsa-7cp4-w7q7-w394

ghsa-7cp4-w7q7-w394

Vulnerability from github

Published

2022-05-13 01:36

Modified

2022-05-13 01:36

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-2629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-27T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server\u0027s certificate\u0027s validity in the code that checks for a test success or failure. It ends up always thinking there\u0027s valid proof, even when there is none or if the server doesn\u0027t support the TLS extension in question. This could lead to users not detecting when a server\u0027s certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).",
  "id": "GHSA-7cp4-w7q7-w394",
  "modified": "2022-05-13T01:36:53Z",
  "published": "2022-05-13T01:36:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2629"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629"
    },
    {
      "type": "WEB",
      "url": "https://curl.haxx.se/docs/adv_20170222.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201703-04"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2017-09"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96382"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037871"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2017-2629

Vulnerability from cvelistv5

Published

2018-07-27 19:00

Modified

2024-08-05 14:02

Severity

4.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
http://www.securityfocus.com/bid/96382	vdb-entry, x_refsource_BID
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629	x_refsource_CONFIRM
http://www.securitytracker.com/id/1037871	vdb-entry, x_refsource_SECTRACK
https://www.tenable.com/security/tns-2017-09	x_refsource_CONFIRM
https://curl.haxx.se/docs/adv_20170222.html	x_refsource_CONFIRM
https://security.gentoo.org/glsa/201703-04	vendor-advisory, x_refsource_GENTOO

Impacted products

Vendor	Product
CURL	curl

Show details on NVD website