CVE-2017-2629
MEDIUMcurl < 7.53.0 - Improper TLS Certificate Validation via Status Request Extension
Title source: llmDescription
curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96382
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1037871
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2017-09
Vendor Advisory x_refsource_confirm
https://curl.haxx.se/docs/adv_20170222.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201703-04
Scores
CVSS v3
4.3
EPSS
0.0058
EPSS Percentile
69.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-295
Status
published
Products (1)
haxx/curl
< 7.53.0
Published
Jul 27, 2018
Tracked Since
Feb 18, 2026