CVE-2016-3739 — Improper Input Validation in Curl

CWE-20 — Improper Input Validation CWE-345 — Insufficient Verification of Data Authenticity9 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

1.1%

top 22.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl

Timeline

PublishedMay 20

Latest updateMar 29

Description

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶Debianhaxx/curl< 7.50.1-1+3

▶NVDhaxx/curl37 versions+36

🔴Vulnerability Details

GHSA

GHSA-4rcg-2r46-4hcc: The (1) mbed_connect_step1 function in lib/vtls/mbedtls↗2022-05-14

▶

CVEList

CVE-2016-3739: The (1) mbed_connect_step1 function in lib/vtls/mbedtls↗2016-05-20

▶

OSV

CVE-2016-3739: The (1) mbed_connect_step1 function in lib/vtls/mbedtls↗2016-05-20

▶

📋Vendor Advisories

Red Hat

curl: TLS certificate name check bypass with mbedTLS and PolarSSL↗2016-05-18

▶

Debian

CVE-2016-3739: curl - The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_conne...↗2016

▶

💬Community

HackerOne

CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)↗2024-03-29

▶

HackerOne

CVE-2024-2466: TLS certificate check bypass with mbedTLS↗2024-03-27

▶

Bugzilla

CVE-2016-3739 curl: TLS certificate name check bypass with mbedTLS and PolarSSL↗2016-05-12

▶