CVE-2024-0853 — Improper Certificate Validation in Curl
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 63.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedFeb 3
Latest updateJul 15
Description
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to
the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
🔴Vulnerability Details
4OSV▶
CVE-2024-0853: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed↗2024-02-03
GHSA▶
GHSA-697h-9h25-w4fm: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed↗2024-02-03
OSV▶
CVE-2024-0853: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed↗2024-02-03
📋Vendor Advisories
5Debian▶
CVE-2024-0853: curl - curl inadvertently kept the SSL session ID for connections in its cache even whe...↗2024