CVE-2016-5420

Sažetak

curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Reference

https://curl.haxx.se/docs/adv_20160803B.html
http://www.debian.org/security/2016/dsa-3638
http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html
http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html
http://www.securityfocus.com/bid/92309
http://www.securitytracker.com/id/1036537
http://www.ubuntu.com/usn/USN-3048-1
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059
https://source.android.com/security/bulletin/2016-12-01.html
https://www.tenable.com/security/tns-2016-18
https://security.gentoo.org/glsa/201701-47
http://www.securitytracker.com/id/1036739
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://rhn.redhat.com/errata/RHSA-2016-2575.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://access.redhat.com/errata/RHSA-2018:3558
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Zadnje važnije ažuriranje

07-11-2023 - 02:33

Objavljeno

10-08-2016 - 14:59