QwikSec

Security Database

CVE

CWE

Training

CVE-2017-2629

Published: Jul 27, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

4.3

MEDIUM

Description

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Vendor	Product	Versions
CURL	curl	affected `7.53.0`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

vdb-entry

x_refsource_BID

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

https://www.tenable.com/security/tns-2017-09

x_refsource_CONFIRM

https://curl.haxx.se/docs/adv_20170222.html

x_refsource_CONFIRM

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.