CVE-2017-7468Improper Certificate Validation in Libcurl

CWE-295Improper Certificate Validation11 documents9 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 33.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Haxx CurlHaxx Libcurl
Timeline
PublishedJul 16
Latest updateMay 13

Description

In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They a

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDhaxx/libcurl7.52.07.53.1
Debianhaxx/curl< 7.52.1-5+3

🔴Vulnerability Details

3
GHSA
GHSA-5v44-xcm9-r9jw: In curl and libcurl 72022-05-13
OSV
CVE-2017-7468: In curl and libcurl 72018-07-16
CVEList
CVE-2017-7468: In curl and libcurl 72018-07-16

📋Vendor Advisories

4
Apple
CVE-2017-7468: macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite2017-07-19
Ubuntu
curl vulnerability2017-04-20
Red Hat
curl: TLS session resumption client cert bypass2017-04-19
Debian
CVE-2017-7468: curl - In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to res...2017

💬Community

3
Bugzilla
CVE-2017-7468 mingw-curl: curl: TLS session resumption client cert bypass [fedora-all]2017-04-19
Bugzilla
CVE-2017-7468 curl: TLS session resumption client cert bypass2017-04-19
Bugzilla
CVE-2017-7468 curl: TLS session resumption client cert bypass [fedora-all]2017-04-19
CVE-2017-7468 — Improper Certificate Validation | cvebase