Уязвимость перераспределения соединений в "libcurl" из-за некорректной проверки изменений настроек TLS и SSH
Описание
libcurl повторно использует ранее созданное соединение даже в случае изменения опции, связанной с TLS или SSH, которая должна была запретить повторное использование. libcurl хранит ранее использованные соединения в пуле соединений для последующих передач, чтобы их можно было использовать повторно, если одно из них соответствует настройкам. Однако несколько параметров TLS и SSH были исключены из проверок конфигурационного соответствия, из-за чего совпадения происходят слишком легко.
Тип уязвимости
Некорректное использование соединений при изменении настроек безопасности
Ссылки
- Mailing List
- ExploitThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Mailing ListThird Party Advisory
- Mailing List
- ExploitThird Party Advisory
- Mailing ListThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Mailing ListThird Party Advisory
Уязвимые конфигурации
Одно из
Одно из
EPSS
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
Связанные уязвимости
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
libcurl would reuse a previously created connection even when a TLS or ...
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
EPSS
7.5 High
CVSS3
5 Medium
CVSS2