ByteOS Network

NVD Vulnerability Details :

CVE-2017-2629

Modified

Source-secalert@redhat.com

Published At-27 Jul, 2018 | 19:29

Updated At-09 Oct, 2019 | 23:26

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.0	6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Secondary	3.0	4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary	2.0	4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:P/A:N

CPE Matches

CURL

>>curl>>Versions before 7.53.0(exclusive)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-295	Primary	nvd@nist.gov
CWE-295	Secondary	secalert@redhat.com

References

Hyperlink	Source	Resource
http://www.securityfocus.com/bid/96382	secalert@redhat.com	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037871	secalert@redhat.com	Third Party Advisory VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629	secalert@redhat.com	Issue Tracking Patch Third Party Advisory
https://curl.haxx.se/docs/adv_20170222.html	secalert@redhat.com	Vendor Advisory
https://security.gentoo.org/glsa/201703-04	secalert@redhat.com	Third Party Advisory
https://www.tenable.com/security/tns-2017-09	secalert@redhat.com	Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History