CVE-2024-0853: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the…

CVE-2024-0853 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (curl) — CVE-2024-0853 Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (curl) vulnerability CVE: CVE-2024-0853 CVSS: 5.3 Protocol: TLS Remote exploit: Yes Affected versions: Network Advisory: cpujul2024 (JUL 2024)

CVE-2024-0853 [MEDIUM] Oracle Oracle MySQL Risk Matrix: Cluster: General (curl) — CVE-2024-0853 Oracle Oracle MySQL Risk Matrix: Cluster: General (curl) vulnerability CVE: CVE-2024-0853 CVSS: 5.3 Protocol: Multiple Remote exploit: Yes Affected versions: Network Advisory: cpuapr2024 (APR 2024)

CVE-2024-0853 [MEDIUM] CWE-295 OCSP verification bypass with TLS session reuse OCSP verification bypass with TLS session reuse FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this. Mariner: Mariner curl: curl Customer Action Required: Yes Remediation: CBL-Mariner Releases Reference: https://learn.microsoft

CVE-2024-0853 [MEDIUM] CWE-299 curl: OCSP verification bypass with TLS session reuse curl: OCSP verification bypass with TLS session reuse curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. A flaw was found in Curl, where it inadvertently kept the SSL session ID for connections in its cache even when the verify status, OCSP stapling test, failed. A subsequent transfer to the same hostname could succeed if the session ID cache were still fresh, which then skips the verify status check. Statement: This CVE only affects upstream Curl version 8.5.0. No Red Hat products are affected by this CVE. Package: curl (Red Hat Enterprise Linux 6) - Not affecte

CVE-2024-0853 [MEDIUM] CVE-2024-0853: curl - curl inadvertently kept the SSL session ID for connections in its cache even whe... curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 8.6.0-1) sid: resolved (fixed in 8.6.0-1) trixie: resolved (fixed in 8.6.0-1)

CVE-2024-0853 [MEDIUM] CVE-2024-0853: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE-2024-0853 [MEDIUM] CWE-295 GHSA-697h-9h25-w4fm: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE-2024-0853 [MEDIUM] CVE-2024-0853: curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

CVE-2024-0853 [MEDIUM] CVE-2024-0853: OCSP verification bypass with TLS session reuse CVE-2024-0853: OCSP verification bypass with TLS session reuse Original Report:https://hackerone.com/reports/2298922 ## Impact CWE-299: Improper Check for Certificate Revocation CVE-2024-0853 - OCSP verification bypass with TLS session reuse VULNERABILITY curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. INFO This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-0853 to this issue. CWE-299: Improper Check for Certificate Revocation Se

CVE-2024-0853 [MEDIUM] CVE-2024-0853: OCSP verification bypass with TLS session reuse CVE-2024-0853: OCSP verification bypass with TLS session reuse ## Summary: In version 8.5.0, cURL has inadvertently established a pathway for accepting revoked certificates. As a result of [this correction](https://github.com/curl/curl/pull/12418/commits/7cf0391bbc3b5b2e4402ce675124cd73dbe0187e), during TLS session reuse, OCSP stapling verification will be skipped. However, the TLS session will be preserved regardless of OCSP verification results. As a result, even for revoked certificates, verification is skipped during TLS session reuse. ## Steps To Reproduce: 1.Identify sites with revoked certificates. 2. `curl (1.URL) (1.URL)--cert-status` I have prepared an environment for testing. Please use as necessary. https://ocsptest.ddns.net/ `curl https://ocsptest.ddns.net/ https://ocsptest

CVE-2024-0853 [MEDIUM] CVE-2024-0853 curl: OCSP verification bypass with TLS session reuse CVE-2024-0853 curl: OCSP verification bypass with TLS session reuse curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3. The issue is fixed upstream in curl 8.6.0. References: https://curl.se/docs/CVE-2024-0853.html https://www.openwall.com/lists/oss-security/2024/01/31/1 Upstream fix: https://github.com/curl/curl/commit/c28e9478cb2548848ec