In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn’t be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

CPENameOperatorVersion
libcurlge7.52.0
libcurlle7.53.1

CPE	Name	Operator	Version
	libcurl	ge	7.52.0
	libcurl	le	7.53.1

References

www.securityfocus.com/bid/97962

www.securitytracker.com/id/1038341

bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7468

curl.haxx.se/docs/adv_20170419.html

security.gentoo.org/glsa/201709-14

nvd 2

cvelist 2

archlinux 2

alpinelinux 2

redhatcve 2

osv 4

ubuntucve 2

nessus 34

freebsd 2

cve 2

debiancve 2

veracode 3

ibm 6

openvas 19

ubuntu 2

altlinux 1

prion 1

debian 2

fedora 2

centos 1

oraclelinux 1

kaspersky 1

mageia 1

amazon 1

redhat 3

cloudfoundry 1

slackware 1

gentoo 2

apple 4

photon 2

androidsecurity 1

suse 2

oracle 2

nvd

CVE-2017-7468

2018-07-16 13:29:00

CVE-2016-5419

2016-08-10 14:59:03

cvelist

CVE-2017-7468

2018-07-16 13:00:00

CVE-2016-5419

2016-08-10 14:00:00

archlinux

[ASA-201704-12] curl: certificate verification bypass

2017-04-29 00:00:00

curl: multiple issues

2016-08-08 00:00:00

alpinelinux

CVE-2017-7468

2018-07-16 13:29:00

CVE-2016-5419

2016-08-10 14:59:03

redhatcve

CVE-2017-7468

2017-04-19 07:41:35

CVE-2016-5419

2019-10-08 10:52:43

osv

CVE-2017-7468

2018-07-16 13:29:00

CVE-2016-5419

2016-08-10 14:59:00

curl - security update

2016-08-04 00:00:00

ubuntucve

CVE-2017-7468

2017-04-19 00:00:00

CVE-2016-5419

2016-08-03 00:00:00

nessus

FreeBSD : cURL -- TLS session resumption client cert bypass (again) (3e2e9b44-25ce-11e7-a175-939b30e0836d)

2017-04-21 00:00:00

Fedora 26 : curl (2017-3eec07cb06)

2017-07-17 00:00:00

Ubuntu 17.04 : curl vulnerability (USN-3262-1)

2017-04-21 00:00:00

freebsd

cURL -- TLS session resumption client cert bypass (again)

2017-04-19 00:00:00

Vulnerabilities in Curl

2016-08-03 00:00:00

cve

CVE-2017-7468

2018-07-16 13:29:00

CVE-2016-5419

2016-08-10 14:59:03

debiancve

CVE-2017-7468

2018-07-16 13:29:00

CVE-2016-5419

2016-08-10 14:59:03

veracode

Security Bypass

2020-12-06 03:49:50

TLS Session Resumption Client Certificate Bypass

2019-01-15 09:14:08

TLS Session Resumption Client Certificate Bypass

2018-07-20 08:31:52

ibm

Security Bulletin: Aspera Web Applications (Faspex, Console) and On Demand products are affected by OpenSSL Vulnerability (CVE-2017-7468)

2019-08-14 22:57:54

Security Bulletin: Vulnerabilities in cURL/libcURL affect IBM Flex System Chassis Management Module

2019-01-31 02:25:02

Security Bulletin: Vulnerabilities in cURL/libcURL affect IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware

2023-12-07 22:31:02

openvas

Ubuntu: Security Advisory (USN-3262-1)

2017-04-24 00:00:00

Debian: Security Advisory (DLA-586-1)

2023-03-08 00:00:00

Fedora Update for curl FEDORA-2016-8354baae0f

2016-08-18 00:00:00

ubuntu

curl vulnerability

2017-04-20 00:00:00

curl vulnerabilities

2016-08-08 00:00:00

altlinux

Security fix for the ALT Linux 8 package curl version 7.54.0-alt1

2017-04-19 00:00:00

prion

Session fixation

2016-08-10 14:59:00

debian

[SECURITY] [DLA 586-1] curl security update

2016-08-04 17:47:12

[SECURITY] [DSA 3638-1] curl security update

2016-08-03 12:53:27

fedora

[SECURITY] Fedora 24 Update: curl-7.47.1-6.fc24

2016-08-05 20:56:11

[SECURITY] Fedora 23 Update: curl-7.43.0-8.fc23

2016-08-16 22:24:26

centos

curl, libcurl security update

2016-11-25 15:56:44

oraclelinux

curl security, bug fix, and enhancement update

2016-11-09 00:00:00

kaspersky

KLA10859 Security bypass vulnerabilities in cURL

2016-08-03 00:00:00

mageia

Updated curl packages fix security vulnerability

2016-08-31 18:32:33

amazon

Medium: curl

2016-08-17 13:30:00

redhat

(RHSA-2016:2575) Moderate: curl security, bug fix, and enhancement update

2016-11-03 06:07:14

(RHSA-2018:3558) Moderate: httpd24 security, bug fix, and enhancement update

2018-11-13 08:00:33

(RHSA-2016:2957) Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release

2016-12-15 22:02:12

cloudfoundry

USN-3048-1 curl vulnerability | Cloud Foundry

2016-08-25 00:00:00

slackware

[slackware-security] curl

2016-08-06 21:10:00

gentoo

cURL: Multiple vulnerabilities

2017-09-17 00:00:00

cURL: Multiple vulnerabilities

2017-01-19 00:00:00

apple

About the security content of macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite - Apple Support

2017-11-02 11:25:42

About the security content of macOS Sierra 10.12.6, Security Update 2017-003 El Capitan, and Security Update 2017-003 Yosemite

2017-07-19 00:00:00

About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite - Apple Support

2020-07-27 08:14:17

photon

Critical Photon OS Security Update - PHSA-2023-4.0-0420

2023-07-05 00:00:00

Critical Photon OS Security Update - PHSA-2023-3.0-0603

2023-06-26 00:00:00

androidsecurity

Android Security Bulletin—December 2016

2016-12-05 00:00:00

suse

Security update for SLES 12-SP1 Docker image (important)

2017-10-11 03:07:32

Security update for SLES 12 Docker image (important)

2017-10-11 03:06:53

oracle

Oracle Critical Patch Update - October 2018

2018-12-18 00:00:00

Oracle Critical Patch Update Advisory - April 2017

2017-04-18 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.4 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.4%

JSON

Related for PRION:CVE-2017-7468