Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-x8ch-h5vv-q6cm

Опубликовано: 28 мая 2025
Источник: github
Github: Не прошло ревью
CVSS3: 4.8

Описание

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

EPSS

Процентиль: 3%
0.0002
Низкий

4.8 Medium

CVSS3

Дефекты

CWE-295

Связанные уязвимости

CVSS3: 4.8
ubuntu
3 месяца назад

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

CVSS3: 4.8
redhat
3 месяца назад

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

CVSS3: 4.8
nvd
3 месяца назад

libcurl supports *pinning* of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC and HTTP/3. Since pinning makes the transfer succeed if the pin is fine, users could unwittingly connect to an impostor server without noticing.

CVSS3: 4.8
msrc
8 дней назад

Описание отсутствует

CVSS3: 4.8
debian
3 месяца назад

libcurl supports *pinning* of the server certificate public key for HT ...

EPSS

Процентиль: 3%
0.0002
Низкий

4.8 Medium

CVSS3

Дефекты

CWE-295