CVE-2017-2629
low-risk
Published 2018-07-27
curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).
Do I need to act?
-
0.36% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (12)
Third Party Advisory
http://www.securityfocus.com/bid/96382
Third Party Advisory
http://www.securitytracker.com/id/1037871
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629
Vendor Advisory
https://curl.haxx.se/docs/adv_20170222.html
Third Party Advisory
https://security.gentoo.org/glsa/201703-04
Third Party Advisory
https://www.tenable.com/security/tns-2017-09
Third Party Advisory
http://www.securityfocus.com/bid/96382
Third Party Advisory
http://www.securitytracker.com/id/1037871
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629
Vendor Advisory
https://curl.haxx.se/docs/adv_20170222.html
Third Party Advisory
https://security.gentoo.org/glsa/201703-04
Third Party Advisory
https://www.tenable.com/security/tns-2017-09
24
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal