CURL-CVE-2020-8286

See a problem?
Source
https://curl.se/docs/CVE-2020-8286.html
Import Source
https://curl.se/docs/CURL-CVE-2020-8286.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2020-8286
Aliases
Published
2020-12-09T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
Inferior OCSP verification
Details

libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool.

As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.

This flaw would allow an attacker, who perhaps could have breached a TLS server, to provide a fraudulent OCSP response that would appear fine, instead of the real one. Like if the original certificate actually has been revoked.

References
Credits
    • Ospoco - FINDER
    • Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type
SEMVER
Events
Introduced
7.41.0
Fixed
7.74.0
Type
GIT
Repo
https://github.com/curl/curl.git
Events
Introduced
d1cf5d570663dac157740cb5e49d24614f185da7
Fixed
d9d01672785b8ac04aab1abb6de95fe3072ae199

Affected versions

7.*

7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0