Updated: 2024-03-27 21:17:13.563197
Description:
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | MEDIUM | 4.3 |
CVSS Version 3.x | MEDIUM | 5.3 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | curl | 7.76.1 | 5.3 | MEDIUM | Ignored | 2023-11-08 04:08:05 | |
CentOS 6 ELS | mysql | 5.1.73 | 5.3 | MEDIUM | Ignored | 2022-04-19 21:50:23 | |
CentOS 8.4 ELS | curl | 7.61.1 | 5.3 | MEDIUM | Not Vulnerable | 2022-04-19 21:49:47 | |
CentOS 8.4 ELS | mysql | 8.0.26 | 5.3 | MEDIUM | Ignored | 2022-07-18 11:43:15 | |
CentOS 8.5 ELS | curl | 7.61.1 | 5.3 | MEDIUM | Ignored | 2022-04-19 21:49:47 | |
CentOS 8.5 ELS | mysql | 8.0.26 | 5.3 | MEDIUM | Ignored | 2022-07-18 11:43:15 | |
CloudLinux 6 ELS | mysql | 5.1.73 | 5.3 | MEDIUM | Ignored | 2022-04-19 21:50:23 | |
Oracle Linux 6 ELS | mysql | 5.1.73 | 5.3 | MEDIUM | Ignored | 2022-04-19 21:50:23 | |
Ubuntu 16.04 ELS | mysql-5.7 | 5.7.33-0 | 5.3 | MEDIUM | Ignored | 2022-04-19 21:50:23 | |
Ubuntu 18.04 ELS | mysql-5.7 | 5.7.41-0 | 5.3 | MEDIUM | Ignored | 2023-03-09 13:03:35 |