Description
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6Attack Vector: Network
Complexity: Low
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None
Affected Packages4 packages
🔴Vulnerability Details
4GHSAGHSA-vx32-35rm-8jq5: curl and libcurl before 7↗2022-05-14 OSVcurl vulnerabilities↗2016-11-03 OSVCVE-2016-7141: curl and libcurl before 7↗2016-10-03 CVEListCVE-2016-7141: curl and libcurl before 7↗2016-10-03 📋Vendor Advisories
4AppleCVE-2016-7141: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13 Ubuntucurl vulnerabilities↗2016-11-03 Red Hatcurl: Incorrect reuse of client certificates↗2016-09-05 DebianCVE-2016-7141: curl - curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library...↗2016 💬Community
4BugzillaCVE-2016-7141 mingw-curl: curl: Incorrect reuse of client certificates [fedora-all]↗2016-09-05 BugzillaCVE-2016-7141 curl: Incorrect reuse of client certificates [fedora-all]↗2016-09-05 BugzillaCVE-2016-7141 curl: Incorrect reuse of client certificates↗2016-09-05 BugzillaCVE-2016-7141 mingw-curl: curl: Incorrect reuse of client certificates [epel-7]↗2016-09-05