CVE-2024-0853

Updated: 2024-02-16 19:01:24.168719

Description:

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 5.3

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU curl 7.76.1 5.3 MEDIUM Ignored 2024-02-13 08:27:11
CentOS 6 ELS curl 7.19.7 5.3 MEDIUM Ignored 2024-02-13 08:27:09
CentOS 7 ELS curl 7.29.0 5.3 MEDIUM Ignored 2024-02-13 08:27:11
CentOS 8.4 ELS curl 7.61.1 5.3 MEDIUM Ignored 2024-02-13 08:27:10
CentOS 8.5 ELS curl 7.61.1 5.3 MEDIUM Ignored 2024-02-13 08:27:10
CloudLinux 6 ELS curl 7.19.7 5.3 MEDIUM Ignored 2024-02-13 08:27:10
Oracle Linux 6 ELS curl 7.19.7 5.3 MEDIUM Ignored 2024-02-13 08:27:10
Ubuntu 16.04 ELS curl 7.47.0 5.3 MEDIUM Ignored 2024-02-13 08:27:12
Ubuntu 18.04 ELS curl 7.58.0-2 5.3 MEDIUM Ignored 2024-02-13 08:27:13