CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
76.3%
libcurl-using applications can ask for a specific client certificate to be
used in a transfer. This is done with the CURLOPT_SSLCERT
option
(--cert
with the command line tool).When libcurl is built to use the
macOS native TLS library Secure Transport, an application can ask for the
client certificate by name or with a file name - using the same option. If
the name exists as a file, it will be used instead of by name.If the
appliction runs with a current working directory that is writable by other
users (like /tmp
), a malicious user can create a file name with the same
name as the app wants to use by name, and thereby trick the application to
use the file based cert instead of the one referred to by name making
libcurl send the wrong client certificate in the TLS connection handshake.
Author | Note |
---|---|
mdeslaur | This issue only affects MacOS. Ubuntu is not affected. |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
76.3%