CURL-CVE-2017-7468
- Source
- https://curl.se/docs/CVE-2017-7468.html
- Import Source
- https://curl.se/docs/CURL-CVE-2017-7468.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2017-7468
- Aliases
- Published
- 2017-04-19T08:00:00Z
- Modified
- 2024-07-02T09:22:24Z
- Summary
- TLS session resumption client cert bypass (again)
- Details
-
libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).
libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection could not be kept alive to make the next handshake faster.
This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
- Database specific
{ "affects": "both", "www": "https://curl.se/docs/CVE-2017-7468.html", "URL": "https://curl.se/docs/CVE-2017-7468.json", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "severity": "High", "last_affected": "7.53.1", "package": "curl" }- References
-
- Credits
-
-
- lijian996 on github - FINDER
-
- Ray Satiro - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.52.0Fixed7.54.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Database specific
vanir_signatures
[
{
"deprecated": false,
"target": {
"file": "lib/vtls/mbedtls.c",
"function": "mbed_connect_step3"
},
"digest": {
"length": 903.0,
"function_hash": "81832264132217420897596638504358830920"
},
"id": "CURL-CVE-2017-7468-08eb3bb4",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/mbedtls.c",
"function": "mbed_connect_step1"
},
"digest": {
"length": 6840.0,
"function_hash": "166282236628170077188234170377384957738"
},
"id": "CURL-CVE-2017-7468-0a40569e",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/polarssl.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"172535929888223011783778183892271970533",
"334897269977797547527437412523240801010",
"316290574376333545080720108887940992854",
"320141749657151122226833407483099338566",
"316837432126527030999593181764192832858",
"165121328276448230237395237624634969067",
"176764389375001740922879651704515670298",
"182367826940189150411598452128702814993"
]
},
"id": "CURL-CVE-2017-7468-0a59319c",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/axtls.c",
"function": "connect_prep"
},
"digest": {
"length": 2835.0,
"function_hash": "279503743348125613033243234075725749326"
},
"id": "CURL-CVE-2017-7468-0ae5051c",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/polarssl.c",
"function": "polarssl_connect_step1"
},
"digest": {
"length": 5576.0,
"function_hash": "136159184821338672959887040673907266593"
},
"id": "CURL-CVE-2017-7468-0e32bb58",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/vtls.c",
"function": "Curl_ssl_addsessionid"
},
"digest": {
"length": 1822.0,
"function_hash": "19147306859960512338549356584179504682"
},
"id": "CURL-CVE-2017-7468-13d32a58",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/cyassl.c",
"function": "cyassl_connect_step3"
},
"digest": {
"length": 795.0,
"function_hash": "340219282155802980007599642090641472587"
},
"id": "CURL-CVE-2017-7468-2485e724",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/schannel.c",
"function": "schannel_connect_step3"
},
"digest": {
"length": 3670.0,
"function_hash": "134275649985578035858819786439228985804"
},
"id": "CURL-CVE-2017-7468-385dbf06",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/url.c",
"function": "Curl_setopt"
},
"digest": {
"length": 41149.0,
"function_hash": "186063592302048064341052431850287959819"
},
"id": "CURL-CVE-2017-7468-3b067fe6",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/urldata.h"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"198683916145087094504816435109645840028",
"220993303376407926104727675957746652808",
"217590300289916129302901245853548350950",
"263933567589203802068510968211470018283",
"37237727345207122061121308812990696893",
"183620494746353697031880640597676054442",
"310519466166569378997485342138094102457",
"318457620815968669041058515157763605892"
]
},
"id": "CURL-CVE-2017-7468-42849d81",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/nss.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"226062542996496566610619624517220087723",
"168422041360499877163194472367765437365",
"16597518888896020125047678013284840202",
"10196245510871729399561067670661265950"
]
},
"id": "CURL-CVE-2017-7468-4c52a3c9",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/openssl.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"3484413151559110847629953968689299614",
"127435901089798347445367850882344270330",
"307182354759299789758272271073297658794",
"225999323467492088213181556157791288884",
"295544463428996478277168135050247241882",
"294080755172784084334914202198171582322",
"338983798372813334220075477224829486290",
"309011341883195210562696330121187255319"
]
},
"id": "CURL-CVE-2017-7468-4cf7f74b",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/gtls.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"304944049800724466033832218361855929585",
"223559907521306230261566398107942616160",
"176603468535859319188236249466095932518",
"246607907468849784672975528232247180331",
"261384324587976263685369159698697776837",
"41924717219160173322944626444769413175",
"67417828930773406314665790863667401239",
"157136939233374176486697533688991007220"
]
},
"id": "CURL-CVE-2017-7468-55585bf2",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/axtls.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"234221247272631194186955184548042020411",
"127402192331361534514997249802002814893",
"243532361662396918869004810956295746340",
"317969139351793729205892397855322505080",
"15550668665059926245730204014282661393",
"281908038642262337341062881592136003452",
"337560906621521095310612056951076534867",
"269460142314651276683266323977837711389"
]
},
"id": "CURL-CVE-2017-7468-55ce3445",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/openssl.c",
"function": "ossl_connect_step3"
},
"digest": {
"length": 926.0,
"function_hash": "248655825252225640739976446866483596787"
},
"id": "CURL-CVE-2017-7468-697c03ae",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/gtls.c",
"function": "gtls_connect_step1"
},
"digest": {
"length": 9992.0,
"function_hash": "86989449867147140585499829556710791671"
},
"id": "CURL-CVE-2017-7468-7055fa11",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/vtls.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"116697888569036184393815776384672557336",
"152745555996263714410966109696682743774",
"52374577630118744198385446922458739829",
"74416640931190703843200813839455857573",
"22837926033272325833661684278689218053",
"159379940730082903627531732468488244752",
"184471173096679396495570725207117878796",
"144213151731839508086548969234714954344",
"91692495661077648122901031513128211902",
"103460718216629164962317583030439884837",
"288237901086593522083499978768193844005",
"42839922563790317796979170517671290641",
"97265958273733508290996031703001850020"
]
},
"id": "CURL-CVE-2017-7468-75d84f41",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/schannel.c",
"function": "schannel_connect_step1"
},
"digest": {
"length": 7645.0,
"function_hash": "178211371624334607632434206821056443660"
},
"id": "CURL-CVE-2017-7468-76f5fca2",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/cyassl.c",
"function": "cyassl_connect_step1"
},
"digest": {
"length": 6963.0,
"function_hash": "32143773790933574543265236741649262861"
},
"id": "CURL-CVE-2017-7468-78344e46",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/url.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"157543540451396611667386484148989267045",
"74069882306061399140586746538891343679",
"221111720465796965529162911022695451991",
"244219256792401510972435386011342973565",
"8114976935570795574375565491415553719",
"22759593980880853698552759145789732872",
"294018636741161595969697627679128386425",
"296617457533623502711519347929439409488",
"327940544495434881025960403982869964771"
]
},
"id": "CURL-CVE-2017-7468-915406d7",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/mbedtls.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"200422383670803689681970180291971367779",
"271199807970815277242742973058271334019",
"12944496740288362429357058443990385728",
"320141749657151122226833407483099338566",
"316837432126527030999593181764192832858",
"165121328276448230237395237624634969067",
"55986910445014773660577116001894045293",
"151716116622873127140592820949455775117"
]
},
"id": "CURL-CVE-2017-7468-94680a63",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/schannel.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"275036076535661898397738104768047292729",
"206727872251150574226934347663669365558",
"151827120008333494564769900398342614118",
"237889124970540501720510391966920673335",
"3871476853743574543555372681885264559",
"107426120965436630550851094683951508302",
"225081885069481720806966173037985741363",
"253389568543456661722902047746749413565"
]
},
"id": "CURL-CVE-2017-7468-94e70069",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/nss.c",
"function": "nss_setup_connect"
},
"digest": {
"length": 6202.0,
"function_hash": "240053820011501383886772950596370312121"
},
"id": "CURL-CVE-2017-7468-b413848c",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/url.c",
"function": "Curl_init_userdefined"
},
"digest": {
"length": 2529.0,
"function_hash": "116025645030831907644807641442241440173"
},
"id": "CURL-CVE-2017-7468-bc8de2e7",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/darwinssl.c",
"function": "darwinssl_connect_step1"
},
"digest": {
"length": 13609.0,
"function_hash": "308673861977387338860697765143545846807"
},
"id": "CURL-CVE-2017-7468-be566a5c",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/darwinssl.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"27866526955463607016655463918154242247",
"77260563409298035026435384800325762503",
"51070627625800272582700783561694094325",
"190409903133862919814399538683792274085"
]
},
"id": "CURL-CVE-2017-7468-d680dfd4",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/gtls.c",
"function": "gtls_connect_step3"
},
"digest": {
"length": 9996.0,
"function_hash": "171556669681260753575251690245199297323"
},
"id": "CURL-CVE-2017-7468-d6c677a6",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/axtls.c",
"function": "connect_finish"
},
"digest": {
"length": 2380.0,
"function_hash": "145069133213934954676527723583167051882"
},
"id": "CURL-CVE-2017-7468-de88261c",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/vtls.c",
"function": "Curl_clone_primary_ssl_config"
},
"digest": {
"length": 387.0,
"function_hash": "182491058169809524916547310765914292283"
},
"id": "CURL-CVE-2017-7468-e2f95290",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/polarssl.c",
"function": "polarssl_connect_step3"
},
"digest": {
"length": 899.0,
"function_hash": "134415813669844138675624282421034573546"
},
"id": "CURL-CVE-2017-7468-f1d7ea38",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/openssl.c",
"function": "ossl_connect_step1"
},
"digest": {
"length": 9981.0,
"function_hash": "254839809511526755719182132953578108771"
},
"id": "CURL-CVE-2017-7468-f297d067",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/vtls.c",
"function": "Curl_ssl_getsessionid"
},
"digest": {
"length": 1560.0,
"function_hash": "61111165671515616765983114518515148520"
},
"id": "CURL-CVE-2017-7468-f32a493e",
"signature_type": "Function",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
},
{
"deprecated": false,
"target": {
"file": "lib/vtls/cyassl.c"
},
"digest": {
"threshold": 0.9,
"line_hashes": [
"167985076493585910827800208943953346485",
"267057043838863628034067934030572221700",
"176086022031721186333992618672776504399",
"225999323467492088213181556157791288884",
"295544463428996478277168135050247241882",
"294080755172784084334914202198171582322",
"338983798372813334220075477224829486290",
"309011341883195210562696330121187255319"
]
},
"id": "CURL-CVE-2017-7468-fe546efd",
"signature_type": "Line",
"source": "https://github.com/curl/curl.git/commit/33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26",
"signature_version": "v1"
}
]