CVE-2020-8286

Name of the Vulnerable Software and Affected Versions curl versions 7.41.0 through 7.73.0

Description The issue is related to an improper check for certificate revocation due to insufficient verification of the OCSP response. This allows an attacker to provide a fraudulent OCSP response, potentially breaching a TLS server and affecting data integrity. The vulnerability is associated with errors in the certificate authentication procedure. The CURLOPT SSL VERIFYSTATUS option in libcurl, which offers OCSP stapling, and the --cert-status option using the curl tool, are related to this issue. The vulnerability could be exploited by an attacker to provide a fake OCSP response that appears legitimate.

Recommendations For curl versions 7.41.0 through 7.73.0, this issue was addressed with improved checks, implying that updating to a version with these improved checks would resolve the issue. As a temporary workaround, consider disabling the use of the CURLOPT SSL VERIFYSTATUS option or the --cert-status option until a patch is available. Restrict access to the TLS negotiation process to minimize the risk of exploitation. Avoid using the OCSP response verification feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than that improved checks have been implemented to address the issue.