It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | curl | 2016-08-17 13:30 | ALAS-2016-730 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Amazon Linux | CVSSv3 | 4.8 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |