It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | curl | 2016-08-17 13:30 | ALAS-2016-730 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 4.9 | AV:N/AC:M/Au:S/C:P/I:P/A:N |
Amazon Linux | CVSSv3 | 4.2 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:P/A:N |
NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |