CVE-2016-5419Improper Certificate Validation in Libcurl

CWE-310CWE-295Improper Certificate Validation16 documents10 sources
Severity
7.5HIGHNVD
EPSS
2.0%
top 16.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Haxx CurlHaxx LibcurlDebian Linux+1 more
Timeline
PublishedAug 10
Latest updateMay 14

Description

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDhaxx/libcurl7.50.0
Debianhaxx/curl< 7.50.1-1+3
Ubuntuhaxx/curl< 7.35.0-1ubuntu2.8+1
NVDopensuse/leap42.1

Also affects: Debian Linux 8.0

Patches

Patch: curl.haxx.sePatch: curl.haxx.se

🔴Vulnerability Details

4
GHSA
GHSA-j5mq-cppw-g9w7: curl and libcurl before 72022-05-14
CVEList
CVE-2016-5419: curl and libcurl before 72016-08-10
OSV
CVE-2016-5419: curl and libcurl before 72016-08-10
OSV
curl vulnerabilities2016-08-08

📋Vendor Advisories

6
Red Hat
curl: TLS session resumption client cert bypass2017-04-19
Apple
CVE-2016-5419: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite2016-12-13
Android
CVE-2016-5419: Android Security Bulletin 2016-12-01 CVE: CVE-2016-5419 Severity: HIGH Affected AOSP versions: 72016-12-01
Ubuntu
curl vulnerabilities2016-08-08
Red Hat
curl: TLS session resumption client cert bypass2016-08-03

💬Community

5
Bugzilla
CVE-2017-7468 curl: TLS session resumption client cert bypass2017-04-19
Bugzilla
CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7]2016-08-03
Bugzilla
CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all]2016-08-03
Bugzilla
CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all]2016-08-03
Bugzilla
CVE-2016-5419 curl: TLS session resumption client cert bypass2016-08-01
CVE-2016-5419 — Improper Certificate Validation | cvebase