CURL-CVE-2016-9952
- Source
- https://curl.se/docs/CVE-2016-9952.html
- Import Source
- https://curl.se/docs/CURL-CVE-2016-9952.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2016-9952
- Aliases
- Published
- 2016-12-21T08:00:00Z
- Modified
- 2024-06-07T13:53:51Z
- Summary
- Win CE Schannel cert wildcard matches too much
- Details
-
curl's TLS server certificate checks are flawed on Windows CE.
This vulnerability occurs in the verify certificate function when comparing a wildcard certificate name (as returned by the Windows API function
CertGetNameString)to the hostname used to make the connection to the server.The vulnerability can be triggered with an overly permissive wildcard SAN in the server certificate such as a DNS name of
*.com. When the function compares the cert name to the connection hostname, the wildcard character is removed from the cert name and the connection hostname is checked to see if it ends with the modified cert name. This means a hostname of example.com would match a DNS SAN of*.com, among other variations. This approach violates recommendations in RFC 6125 and could lead to MITM attacks. - Database specific
{ "CWE": { "id": "CWE-295", "desc": "Improper Certificate Validation" }, "package": "curl", "URL": "https://curl.se/docs/CVE-2016-9952.json", "severity": "Medium", "www": "https://curl.se/docs/CVE-2016-9952.html", "last_affected": "7.51.0" }- References
-
- Credits
-
-
- Dan McNulty - FINDER
-
- Dan McNulty - REMEDIATION_DEVELOPER
-