PT-2016-6417 · Curl+5 · Libcurl+6

Publicado

2016-08-03

·

Atualizado

2026-05-18

·

CVE-2016-5420

CVSS v3.1

7.5

Alta

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions libcurl versions prior to 7.50.1 curl versions prior to 7.50.1
Description The issue arises when libcurl reuses established TLS connections for subsequent requests without properly checking the client certificate. This could allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. The problem occurs because libcurl keeps previous connections "alive" in a connection pool, which can lead to the wrong connection being reused for a subsequent request to the same server, potentially using the wrong client certificate or no certificate at all.
Recommendations For libcurl versions prior to 7.50.1, update to version 7.50.1 or later to resolve the issue. For curl versions prior to 7.50.1, update to version 7.50.1 or later to resolve the issue. As a temporary workaround, consider disabling the reuse of TLS connections until a patch is available.

Correção

Improper Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-305CWE-285

Identificadores relacionados

ALT-PU-2016-1895
CESA-2016_2575
CLEANSTART-2026-AY18527
CLEANSTART-2026-BW46578
CLEANSTART-2026-DI23929
CLEANSTART-2026-LQ42192
CLEANSTART-2026-OF85770
CVE-2016-5420
DLA-1568-1
DLA-586-1
DSA-3638-1
MGASA-2016-0285
RHSA-2016:2575
RHSA-2016_2575
RHSA-2018:3558
SUSE-SU-2016:2155-1
SUSE-SU-2016:2330-1
SUSE-SU-2016:2449-1
SUSE-SU-2016:2700-1
SUSE-SU-2017:2699-1
SUSE-SU-2017:2700-1
USN-3048-1

Produtos afetados

Alt Linux
Centos
Red Hat
Suse
Ubuntu
Curl
Libcurl