Описание
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | gnutls tls backend |
| esm-infra-legacy/trusty | not-affected | gnutls tls backend |
| esm-infra/xenial | not-affected | gnutls tls backend |
| precise | not-affected | gnutls tls backend |
| trusty | not-affected | gnutls tls backend |
| trusty/esm | not-affected | gnutls tls backend |
| upstream | released | 7.49.0 |
| vivid/stable-phone-overlay | not-affected | gnutls tls backend |
| vivid/ubuntu-core | not-affected | gnutls tls backend |
| wily | not-affected | gnutls tls backend |
Показывать по
EPSS
2.6 Low
CVSS2
5.3 Medium
CVSS3
Связанные уязвимости
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) pola ...
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
EPSS
2.6 Low
CVSS2
5.3 Medium
CVSS3