Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-4947

Опубликовано: 28 мая 2025
Источник: redhat
CVSS3: 6.5

Описание

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

A vulnerability was found in curl. When using WolfSSL as the TLS library, it skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. This can result in curl being unable to detect illegitimate servers or man-in-the-middle attacks, potentially leading to unauthorized connections to malicious hosts or the interception of sensitive communications. This issue only affects instances of curl and libcurl using WolfSSL as the backend TLS library.

Отчет

This vulnerability doesn't impact any Red Hat supported curl versions, as Red Hat doesn't ship WolfSSL TLS library in any product.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Confidential Compute Attestationconfidential-compute-attestation-tech-preview/trustee-rhel9Not affected
Red Hat Enterprise Linux 10curlNot affected
Red Hat Enterprise Linux 10rustNot affected
Red Hat Enterprise Linux 10snphostNot affected
Red Hat Enterprise Linux 10trustee-guest-componentsNot affected
Red Hat Enterprise Linux 6curlNot affected
Red Hat Enterprise Linux 7curlNot affected
Red Hat Enterprise Linux 8curlNot affected
Red Hat Enterprise Linux 9curlNot affected
Red Hat Enterprise Linux 9rustNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-295
https://bugzilla.redhat.com/show_bug.cgi?id=2368887libcurl: curl: QUIC certificate check skip with wolfSSL

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-4947

CVSS3: 6.5
ubuntu
22 дня назад

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

nvd логотип

CVE-2025-4947

CVSS3: 6.5
nvd
22 дня назад

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

debian логотип

CVE-2025-4947

CVSS3: 6.5
debian
22 дня назад

libcurl accidentally skips the certificate verification for QUIC conne ...

github логотип

GHSA-ppfq-jg49-mqj4

CVSS3: 6.5
github
22 дня назад

libcurl accidentally skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. Therefore, it does not detect impostors or man-in-the-middle attacks.

6.5 Medium

CVSS3