CVE-2024-0853

Опубликовано: 31 янв. 2024

Источник: redhat

CVSS3: 3.8

Описание

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

A flaw was found in Curl, where it inadvertently kept the SSL session ID for connections in its cache even when the verify status, OCSP stapling test, failed. A subsequent transfer to the same hostname could succeed if the session ID cache were still fresh, which then skips the verify status check.

Отчет

This CVE only affects upstream Curl version 8.5.0. No Red Hat products are affected by this CVE.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Enterprise Linux 6	curl	Not affected
Red Hat Enterprise Linux 7	curl	Not affected
Red Hat Enterprise Linux 8	curl	Not affected
Red Hat Enterprise Linux 9	curl	Not affected
Red Hat JBoss Core Services	jbcs-httpd24-curl	Not affected
Red Hat Software Collections	httpd24-curl	Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-299

https://bugzilla.redhat.com/show_bug.cgi?id=2262097curl: OCSP verification bypass with TLS session reuse

3.8 Low

CVSS3

Связанные уязвимости

CVE-2024-0853

CVSS3: 5.3

ubuntu

около 2 лет назад

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.