CVE-2017-7468

Impact:
Moderate
Public Date:
2017-04-19
CWE:
CWE-295
Bugzilla:
1443381: CVE-2017-7468 curl: TLS session resumption client cert bypass

The MITRE CVE dictionary describes this issue as:

In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

Find out more about CVE-2017-7468 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3.0 curl Not affected
Red Hat Enterprise Linux 7 curl Not affected
Red Hat Enterprise Linux 6 curl Not affected
Red Hat Enterprise Linux 5 curl Not affected
RHEV Manager 3 mingw-virt-viewer Not affected
.NET Core 2.0 on Red Hat Enterprise Linux rh-dotnet20-curl Not affected
.NET Core 1.0 on Red Hat Enterprise Linux rh-dotnetcore10-curl Not affected
.NET Core 1.0 on Red Hat Enterprise Linux rh-dotnetcore11-curl Not affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.