CVE-2017-2629 : curl before 7.53.0 has an incorrect TLS Certificate Status Request extension fea

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Published 2018-07-27 19:29:00

Updated 2019-10-09 23:26:59

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2017-2629

Haxx » Curl
Versions before (<) 7.53.0
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-2629

EPSS FAQ

0.79%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 73 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-2629

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None
4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	2.8	1.4	Red Hat, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2017-2629

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2017-2629

https://curl.haxx.se/docs/adv_20170222.html

curl - SSL_VERIFYSTATUS ignored - CVE-2017-2629
Vendor Advisory
http://www.securityfocus.com/bid/96382

cURL/libcURL CVE-2017-2629 TLS Certificate Validation Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/201703-04

cURL: Certificate validation error (GLSA 201703-04) — Gentoo security
Third Party Advisory
https://www.tenable.com/security/tns-2017-09

[R1] LCE 5.0.1 Fixes Two Third-party Library Vulnerabilities - Security Advisory | Tenable®
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629

1425746 – (CVE-2017-2629) CVE-2017-2629 curl: SSL_VERIFYSTATUS ignored
Issue Tracking;Patch;Third Party Advisory
http://www.securitytracker.com/id/1037871

cURL OCSP Stapling Verification Bug Lets Remote Users Bypass CURLOPT_SSL_VERIFYSTATUS Security Restrictions on the Target System - SecurityTracker
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2017-2629

Products affected by CVE-2017-2629

Exploit prediction scoring system (EPSS) score for CVE-2017-2629

CVSS scores for CVE-2017-2629

CWE ids for CVE-2017-2629

References for CVE-2017-2629