Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-5420

curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Published

2016-08-10T14:59:05.080

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-285

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	debian	debian_linux	8.0	Yes
Application	haxx	libcurl	≤ 7.50.0	Yes
Operating System	opensuse	leap	42.1	Yes

References

http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html ([email protected])
http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2016-2575.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2016-2957.html ([email protected])
http://www.debian.org/security/2016/dsa-3638 Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html ([email protected])
http://www.securityfocus.com/bid/92309 ([email protected])
http://www.securitytracker.com/id/1036537 ([email protected])
http://www.securitytracker.com/id/1036739 ([email protected])
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059 ([email protected])
http://www.ubuntu.com/usn/USN-3048-1 ([email protected])
https://access.redhat.com/errata/RHSA-2018:3558 ([email protected])
https://curl.haxx.se/docs/adv_20160803B.html Mitigation, Patch, Vendor Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/ ([email protected])
https://security.gentoo.org/glsa/201701-47 ([email protected])
https://source.android.com/security/bulletin/2016-12-01.html ([email protected])
https://www.tenable.com/security/tns-2016-18 ([email protected])
http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-2575.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-2957.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2016/dsa-3638 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/92309 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1036537 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1036739 (af854a3a-2127-422b-91ae-364da2661108)
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-3048-1 (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:3558 (af854a3a-2127-422b-91ae-364da2661108)
https://curl.haxx.se/docs/adv_20160803B.html Mitigation, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201701-47 (af854a3a-2127-422b-91ae-364da2661108)
https://source.android.com/security/bulletin/2016-12-01.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2016-18 (af854a3a-2127-422b-91ae-364da2661108)