Updated: 2025-08-20 02:18:18.122092
Description:
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 5.0 |
| CVSS Version 3.x | HIGH | 7.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | curl | 7.76.1 | 7.5 | HIGH | Not Vulnerable | 2023-11-08 08:36:09 | ||
| CentOS 6 ELS | mysql | 5.1.73 | 7.5 | HIGH | Not Vulnerable | 2022-07-18 16:26:02 | ||
| CentOS 6 ELS | curl | 7.19.7 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | ||
| CentOS 7 ELS | curl | 7.29.0 | 7.5 | HIGH | Not Vulnerable | 2023-10-31 14:09:37 | ||
| CentOS 8.4 ELS | curl | 7.61.1 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | ||
| CentOS 8.4 ELS | mysql | 8.0.26 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:50:04 | ||
| CentOS 8.5 ELS | mysql | 8.0.26 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:50:04 | ||
| CentOS 8.5 ELS | curl | 7.61.1 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | ||
| CloudLinux 6 ELS | curl | 7.19.7 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | ||
| CloudLinux 6 ELS | mysql | 5.1.73 | 7.5 | HIGH | Not Vulnerable | 2022-07-18 16:26:02 |