Описание
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
A flaw was found in curl. When curl is built to use mbedTLS as the TLS backend, it does not check the server certificate of TLS connections done to a host specified as an IP address.
Отчет
The curl package as shipped by Red Hat Enterprise Linux and RHSCL is not affected by this vulnerability because it does not have support for mbedTLS.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | curl | Not affected | ||
| Red Hat Enterprise Linux 6 | curl | Not affected | ||
| Red Hat Enterprise Linux 7 | curl | Not affected | ||
| Red Hat Enterprise Linux 8 | curl | Not affected | ||
| Red Hat Enterprise Linux 9 | curl | Not affected | ||
| Red Hat Software Collections | httpd24-curl | Not affected | ||
| JBoss Core Services for RHEL 8 | jbcs-httpd24-curl | Fixed | RHSA-2024:2693 | 07.05.2024 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-httpd | Fixed | RHSA-2024:2693 | 07.05.2024 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-mod_http2 | Fixed | RHSA-2024:2693 | 07.05.2024 |
| JBoss Core Services for RHEL 8 | jbcs-httpd24-mod_jk | Fixed | RHSA-2024:2693 | 07.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
libcurl did not check the server certificate of TLS connections done t ...
libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).
EPSS
5.3 Medium
CVSS3