CURL-CVE-2020-8286
- Source
- https://curl.se/docs/CVE-2020-8286.html
- Import Source
- https://curl.se/docs/CURL-CVE-2020-8286.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2020-8286
- Aliases
- Published
- 2020-12-09T08:00:00Z
- Modified
- 2024-06-07T13:53:51Z
- Summary
- Inferior OCSP verification
- Details
-
libcurl offers "OCSP stapling" via the
CURLOPT_SSL_VERIFYSTATUSoption. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with--cert-statususing the curl tool.As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.
This flaw would allow an attacker, who perhaps could have breached a TLS server, to provide a fraudulent OCSP response that would appear fine, instead of the real one. Like if the original certificate actually has been revoked.
- References
-
- Credits
-
-
- Ospoco - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.41.0Fixed7.74.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events