Moti Avrahami

**Name of the Vulnerable Software and Affected Versions** cURL and libcurl versions prior to 7.49.0 **Description** The issue allows remote attackers to spoof servers via an arbitrary valid certificate when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address. This occurs because libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, or when explicitly asked to use SSLv3. The flaw exists when libcurl is built to use mbedTLS or PolarSSL as the TLS backend. By tricking a libcurl-using client to use a URL with a host specified as IP address only, an application could be made to connect to an impostor server or Man In The Middle host without noticing. **Recommendations** For versions prior to 7.49.0, update to version 7.49.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of IP addresses as hostnames and disabling SSLv3 to minimize the risk of exploitation. Restrict access to TLS oriented protocols such as HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc., when using IP addresses or SSLv3, until the issue is resolved.