KLA10859
Security bypass vulnerabilities in cURL
Обновлено: 17/06/2019
Дата обнаружения
03/08/2016
Уровень угрозы
Critical
Описание

Multiple serious vulnerabilities have been found in cURL. Malicious users can exploit these vulnerabilities to bypass security restrictions.

Below is a complete list of vulnerabilities

  1. Use-after-free vulnerability can be exploited to control which connection is used;
  2. An improper TLS connection reuse handling can be exploited remotely via connection manipulations to hijack authentication;
  3. An improper TLS certificate change handling can be exploited remotely via connection manipulations to bypass security restrictions.

Technical details

The curl command line tool is also affected because of these flaws.

All vulnerabilities were found in libcurl library.

Пораженные продукты

cURL and libcurl versions earlier than 7.50.1

Решение

Update to the latest version or apply patches
patch for CVE-2016-5421
patch for CVE-2016-5420
cURL download page
patch for CVE-2016-5419

Первичный источник обнаружения
cURL vulnerabilities table and advisories
Оказываемое влияние
?
SB 
[?]
CVE-IDS
CVE-2016-54217.5Critical
CVE-2016-54205.0Critical
CVE-2016-54195.0Critical