CVE-2017-2629 — Improper Certificate Validation in Curl

CWE-295 — Improper Certificate Validation9 documents9 sources

Severity

6.5MEDIUMNVD

CNA4.3

EPSS

0.4%

top 41.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl

Timeline

PublishedJul 27

Latest updateMay 13

Description

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in re…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDhaxx/curl< 7.53.0

▶Debianhaxx/curl< 7.52.1-3+3

▶CVEListV5curl/curl7.53.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-7cp4-w7q7-w394: curl before 7↗2022-05-13

▶

CVEList

CVE-2017-2629: curl before 7↗2018-07-27

▶

OSV

CVE-2017-2629: curl before 7↗2018-07-27

▶

📋Vendor Advisories

Apple

CVE-2017-2629: macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite↗2017-07-19

▶

Red Hat

curl: SSL_VERIFYSTATUS ignored↗2017-02-22

▶

Debian

CVE-2017-2629: curl - curl before 7.53.0 has an incorrect TLS Certificate Status Request extension fea...↗2017

▶

🕵️Threat Intelligence

Tenable

[R1] LCE 5.0.1 Fixes Two Third-party Library Vulnerabilities↗2017-03-22

▶

💬Community

Bugzilla

CVE-2017-2629 curl: SSL_VERIFYSTATUS ignored↗2017-02-22

▶