Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-7141

Опубликовано: 05 сент. 2016
Источник: redhat
CVSS3: 4.2
CVSS2: 4.9
EPSS Низкий

Описание

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
.NET Core 1.0 on Red Hat Enterprise Linuxrh-dotnetcore10-curlNot affected
.NET Core 1.1 on Red Hat Enterprise Linuxrh-dotnetcore11-curlNot affected
.NET Core 2.0 on Red Hat Enterprise Linuxrh-dotnet20-curlNot affected
Red Hat Enterprise Linux 5curlNot affected
Red Hat Enterprise Linux 6curlWill not fix
Red Hat Enterprise Virtualization 3mingw-virt-viewerWill not fix
Red Hat JBoss Enterprise Web Server 3curlAffected
Red Hat Enterprise Linux 7curlFixedRHSA-2016:257503.11.2016
Red Hat Software Collections for Red Hat Enterprise Linux 6httpd24-curlFixedRHSA-2018:355813.11.2018
Red Hat Software Collections for Red Hat Enterprise Linux 6httpd24-httpdFixedRHSA-2018:355813.11.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-295
https://bugzilla.redhat.com/show_bug.cgi?id=1373229curl: Incorrect reuse of client certificates

EPSS

Процентиль: 66%
0.00524
Низкий

4.2 Medium

CVSS3

4.9 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-7141

CVSS3: 7.5
ubuntu
почти 9 лет назад

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

nvd логотип

CVE-2016-7141

CVSS3: 7.5
nvd
почти 9 лет назад

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

debian логотип

CVE-2016-7141

CVSS3: 7.5
debian
почти 9 лет назад

curl and libcurl before 7.50.2, when built with NSS and the libnsspem. ...

github логотип

GHSA-vx32-35rm-8jq5

CVSS3: 7.5
github
больше 3 лет назад

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

suse-cvrf логотип

SUSE-SU-2018:0230-1

suse-cvrf
больше 7 лет назад

Security update for curl

EPSS

Процентиль: 66%
0.00524
Низкий

4.2 Medium

CVSS3

4.9 Medium

CVSS2