CVE-2016-5420Improper Authorization in Libcurl

CWE-285Improper AuthorizationCWE-295Improper Certificate Validation16 documents10 sources
Severity
7.5HIGHNVD
EPSS
1.1%
top 22.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Haxx CurlHaxx LibcurlDebian Linux+1 more
Timeline
PublishedAug 10
Latest updateMay 14

Description

curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDhaxx/libcurl7.50.0
Debianhaxx/curl< 7.50.1-1+3
Ubuntuhaxx/curl< 7.35.0-1ubuntu2.8+1
NVDopensuse/leap42.1

Also affects: Debian Linux 8.0

Patches

Patch: curl.haxx.sePatch: curl.haxx.se

🔴Vulnerability Details

4
GHSA
GHSA-qpjh-642g-hgh8: curl and libcurl before 72022-05-14
CVEList
CVE-2016-5420: curl and libcurl before 72016-08-10
OSV
CVE-2016-5420: curl and libcurl before 72016-08-10
OSV
curl vulnerabilities2016-08-08

📋Vendor Advisories

6
Apple
CVE-2016-5420: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite2016-12-13
Android
CVE-2016-5420: Android Security Bulletin 2016-12-01 CVE: CVE-2016-5420 Severity: HIGH Affected AOSP versions: 72016-12-01
Red Hat
curl: Incorrect reuse of client certificates2016-09-05
Ubuntu
curl vulnerabilities2016-08-08
Red Hat
curl: Re-using connection with wrong client cert2016-08-03

💬Community

5
Bugzilla
CVE-2016-7141 curl: Incorrect reuse of client certificates2016-09-05
Bugzilla
CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7]2016-08-03
Bugzilla
CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all]2016-08-03
Bugzilla
CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all]2016-08-03
Bugzilla
CVE-2016-5420 curl: Re-using connection with wrong client cert2016-08-01
CVE-2016-5420 — Improper Authorization in Haxx Libcurl | cvebase