Updated: 2024-03-27 21:34:19.265648
Description:
A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations **withoutTLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | MEDIUM | 5 |
CVSS Version 3.x | HIGH | 7.5 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated |
---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | curl | 7.76.1 | 7.5 | HIGH | Not Vulnerable | 2023-11-08 08:36:09 | |
CentOS 6 ELS | curl | 7.19.7 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | |
CentOS 6 ELS | mysql | 5.1.73 | 7.5 | HIGH | Not Vulnerable | 2022-07-18 16:26:02 | |
CentOS 7 ELS | curl | 7.29.0 | 7.5 | HIGH | Not Vulnerable | 2023-10-31 14:09:37 | |
CentOS 8.4 ELS | curl | 7.61.1 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | |
CentOS 8.4 ELS | mysql | 8.0.26 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:50:04 | |
CentOS 8.5 ELS | curl | 7.61.1 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | |
CentOS 8.5 ELS | mysql | 8.0.26 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:50:04 | |
CloudLinux 6 ELS | curl | 7.19.7 | 7.5 | HIGH | Not Vulnerable | 2022-04-19 21:49:46 | |
CloudLinux 6 ELS | mysql | 5.1.73 | 7.5 | HIGH | Not Vulnerable | 2022-07-18 16:26:02 |