CURL-CVE-2007-3564

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2007-3564.html

Import Source

https://curl.se/docs/CURL-CVE-2007-3564.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2007-3564

Aliases

CVE-2007-3564

Published

2007-07-10T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

GnuTLS insufficient cert verification

Details

libcurl (when built to use GnuTLS) fails to verify that a peer's certificate has not already expired or has not yet become valid. This allows malicious servers to present certificates to libcurl that were not rejected properly.

Notably, the CA certificate and common name checks are still in place which reduces the risk for random servers to take advantage of this flaw.

Database specific

{
    "CWE": {
        "id": "CWE-298",
        "desc": "Improper Validation of Certificate Expiration"
    },
    "URL": "https://curl.se/docs/CVE-2007-3564.json",
    "affects": "both",
    "package": "curl",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2007-3564.html",
    "last_affected": "7.16.3"
}

References

Credits

- Kees Cook - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type: SEMVER
Events: Introduced

7.14.0

Fixed

7.16.4

Affected versions

7.*

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3