KLA10859
Security bypass vulnerabilities in cURL
Updated: 06/01/2019
Detect date
?
08/03/2016
Severity
?
Critical
Description

Multiple serious vulnerabilities have been found in cURL. Malicious users can exploit these vulnerabilities to bypass security restrictions.

Below is a complete list of vulnerabilities

  1. Use-after-free vulnerability can be exploited to control which connection is used;
  2. An improper TLS connection reuse handling can be exploited remotely via connection manipulations to hijack authentication;
  3. An improper TLS certificate change handling can be exploited remotely via connection manipulations to bypass security restrictions.

Technical details

The curl command line tool is also affected because of these flaws.

All vulnerabilities were found in libcurl library.

Affected products

cURL and libcurl versions earlier than 7.50.1

Solution

Update to the latest version or apply patches
patch for CVE-2016-5421
patch for CVE-2016-5420
cURL download page
patch for CVE-2016-5419

Original advisories

cURL vulnerabilities table and advisories

Impacts
?
SB 
[?]
CVE-IDS
?
CVE-2016-54217.5Critical
CVE-2016-54205.0Critical
CVE-2016-54195.0Critical