CVE-2016-3739

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-3739

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3739.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-3739

Aliases

CURL-CVE-2016-3739

Published

2016-05-20T14:59:05Z

Modified

2025-04-12T13:37:28.650657Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

The (1) mbedconnectstep1 function in lib/vtls/mbedtls.c and (2) polarsslconnectstep1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

References

Affected packages

Debian:11 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.50.1-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.50.1-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / curl

Package

Name: curl
Purl: pkg:deb/debian/curl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.50.1-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/curl/curl

Affected ranges

Type: GIT
Repo: https://github.com/curl/curl
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

06bf874bbca0a5c600b210b5db920eff9f95f0d0

Last affected

0966b324d911423c81351fb12e9219f71cd63be8

Last affected

11a7ac0d6a84290001a5239df37bbca4270b17d4

Last affected

1a7f66a3de2625d10f65415e6eb3e56067dc0555

Last affected

202aa9f7758636730299b86715d924f54468a908

Last affected

22691f849ac959ffaa821a3ca7f746ee54bd5e52

Last affected

2a05025510dcae46ac01fd457942061052ebed1b

Last affected

2bf90d071016e279796e789f0ac223d635671a41

Last affected

2c000d91f3c423cee0af44e8afc79b9d25a9e714

Last affected

303bfc1024d948a5ba134ccfc106f82c0b4fd675

Last affected

33c02d47711c81087d232c7e0e66b74ab61c14d5

Last affected

38e07886ed2792988217a2ffa482ce3a69ca92c2

Last affected

4f041c9d6e61829310eb0715d8edb2a232478123

Last affected

4feb6e6d035d5d66984957c8ca22bc9a05df527f

Last affected

64c613c27abb58503eb8a966bee1489562060da0

Last affected

6d7d0eba6d95fd5122b2d2a52f77da510bfefb3b

Last affected

70812c2f32fc5734bcbbe572b9f61c380433ad6a

Last affected

80d241046e404233537ff35efabb703a0668c7d5

Last affected

8249b0522d371679f2cd2516045a5f938ea36a53

Last affected

827f0a318cdbf73800c2366cf6a3132f2b2a7c49

Last affected

85c710e11e7a7c1caf02962bbbdc08a5561ae769

Last affected

8da5da9b6544337b8a675db092da201f279265d4

Last affected

95ddbdb1dbfbb051d67bf0d6643b1a917a4c7d88

Last affected

9819cec61b00cc872136ea5faf469627b3b87e69

Last affected

9ce2d7001939b795b45a8ce7700d1a3dcde0475d

Last affected

a5ee8d50c3faf1359f039c87a3d2dfee9f45d566

Last affected

a8e063b0877da005342b3445c5535a5bce0d5bc5

Last affected

b9660dc4b290781ff6535dec32258ec14e6ff0b5

Last affected

b9fdb721f2948487fcffe34ad60790a83379e1b9

Last affected

bf633a584dcbb0f80273ba856b7198ad1e395315

Last affected

c1babfad8a98a5fe28e2106d95e1bd7eeafcdb46

Last affected

c262c35676a2c3240da433e7a4428ac2129b445f

Last affected

d37145834876308121d3e825c85b08bec0b3ff97

Last affected

e2ae32ff5f3ab6f0819590f61f248f17df12987f

Last affected

e91d167ff8cb89523447680e3560f60d93615055

Last affected

f77e89c5d20db09eaebf378ec036a7e796932810

Last affected

ff837422ee4ec7d6aea7750a40e30cba29db93e8

Affected versions

Other

before_ftp_statemachine

before_urldata_rename

c-ares-1_2_0

c-ares-1_3_0

curl-6_5

curl-6_5_1

curl-6_5_2

curl-7_10

curl-7_10_1

curl-7_10_2

curl-7_10_3

curl-7_10_4

curl-7_10_5

curl-7_10_6

curl-7_10_7

curl-7_10_8

curl-7_11_0

curl-7_11_1

curl-7_11_2

curl-7_12_0

curl-7_12_1

curl-7_12_2

curl-7_12_3

curl-7_13_0

curl-7_13_1

curl-7_13_2

curl-7_14_0

curl-7_14_1

curl-7_15_0

curl-7_15_1

curl-7_15_2

curl-7_15_3

curl-7_15_4

curl-7_15_5

curl-7_15_6-prepipeline

curl-7_16_0

curl-7_16_1

curl-7_16_2

curl-7_16_3

curl-7_16_4

curl-7_17_0

curl-7_17_0-preldapfix

curl-7_17_1

curl-7_18_0

curl-7_18_1

curl-7_18_2

curl-7_19_0

curl-7_19_1

curl-7_19_2

curl-7_19_3

curl-7_19_4

curl-7_19_5

curl-7_19_6

curl-7_19_7

curl-7_1_1

curl-7_2

curl-7_20_0

curl-7_20_1

curl-7_21_0

curl-7_21_1

curl-7_21_2

curl-7_21_3

curl-7_21_4

curl-7_21_5

curl-7_21_6

curl-7_21_7

curl-7_22_0

curl-7_23_0

curl-7_23_1

curl-7_24_0

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_3

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_4_1

curl-7_5

curl-7_5_2

curl-7_6

curl-7_6-pre4

curl-7_6_1

curl-7_6_1-pre1

curl-7_6_1-pre2

curl-7_6_1-pre3

curl-7_7

curl-7_7-beta1

curl-7_7-beta2

curl-7_7-beta3

curl-7_7-beta5

curl-7_7_1

curl-7_7_2

curl-7_7_3

curl-7_7_alpha2

curl-7_8

curl-7_8-pre2

curl-7_8_1

curl-7_8_1-pre3

curl-7_9

curl-7_9_1

curl-7_9_2

curl-7_9_3

curl-7_9_3-pre1

curl-7_9_3-pre2

curl-7_9_3-pre3

curl-7_9_4

curl-7_9_5

curl-7_9_5-pre2

curl-7_9_5-pre4

curl-7_9_6

curl-7_9_7

curl-7_9_7-pre2

curl-7_9_8

curl_7_6-pre3

v7_0_2beta