5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.005 Low
EPSS
Percentile
75.4%
In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt
to resume a TLS session even if the client certificate had changed. That is
unacceptable since a server by specification is allowed to skip the client
certificate check on resume, and may instead use the old identity which was
established by the previous certificate (or no certificate). libcurl
supports by default the use of TLS session id/ticket to resume previous TLS
sessions to speed up subsequent TLS handshakes. They are used when for any
reason an existing TLS connection couldnβt be kept alive to make the next
handshake faster. This flaw is a regression and identical to CVE-2016-5419
reported on August 3rd 2016, but affecting a different version range.
Author | Note |
---|---|
sbeattie | reported upstream mitigation: Set CURLOPT_SSL_SESSIONID_CACHE to 0L when using client certificates |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.005 Low
EPSS
Percentile
75.4%