CURL-CVE-2011-3389
- Source
- https://curl.se/docs/CVE-2011-3389.html
- Import Source
- https://curl.se/docs/CURL-CVE-2011-3389.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2011-3389
- Aliases
- Published
- 2012-01-24T08:00:00Z
- Modified
- 2024-06-07T13:53:51Z
- Summary
- SSL CBC IV vulnerability
- Details
-
curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer.
This vulnerability has been identified (CVE-2011-3389 aka the "BEAST" attack) and is addressed by OpenSSL already as they have made a work-around to mitigate the problem. When doing so, they figured out that some servers did not work with the work-around and offered a way to disable it.
The bit used to disable the workaround was then added to the generic
SSL_OP_ALLbitmask that SSL clients may use to enable workarounds for better compatibility with servers. libcurl uses the SSLOPALL bitmask.While
SSL_OP_ALLis documented to enable "rather harmless" workarounds, it does in this case effectively enable this security vulnerability again. - References
-
- Credits
-
-
- product-security at Apple - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
- Yang Tse - OTHER
-
Affected packages
Git /
Affected versions
7.*
7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1