Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2016-5420

Published: 10/08/2016 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Debian

Vulnerability Summary

curl and libcurl prior to 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote malicious users to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

debian debian linux 8.0

haxx libcurl

opensuse leap 42.1

Vendor Advisories

Ubuntu Security Notice: curl vulnerabilities
Several security issues were fixed in curl ...
Red Hat: Moderate: curl security, bug fix, and enhancement update
Synopsis Moderate: curl security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for curl is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ( ...
Red Hat: Moderate: httpd24 security, bug fix, and enhancement update
Synopsis Moderate: httpd24 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for httpd24-httpd, httpd24-nghttp2, and httpd24-curl is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release
Synopsis Important: Red Hat JBoss Core Services Apache HTTP 2423 Release Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services httpd 2423 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systemsRed Hat Product Security has rated this release as ...
Debian Security Advisories: DSA-3638-1 curl -- security update
Several vulnerabilities were discovered in cURL, an URL transfer library: CVE-2016-5419 Bru Rom discovered that libcurl would attempt to resume a TLS session even if the client certificate had changed CVE-2016-5420 It was discovered that libcurl did not consider client certificates when reusing TLS connections CVE-2016-5421 M ...
Amazon Linux AMI: ALAS-2016-730
curl and libcurl before 7501 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session (CVE-2016-5419) curl and libcurl before 7501 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote atta ...
Red Hat: CVE-2016-5420
It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate ...
Tenable Security Advisories: [R7] LCE 4.8.1 Fixes Multiple Vulnerabilities
The Log Correlation Engine (LCE) is potentially impacted by several vulnerabilities in OpenSSL (20160503), libpcre / PCRE, Libxml2, Handlebars, libcurl, and jQuery that were recently disclosed and fixed Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included versions of each library as a ...

References

CWE-285https://curl.haxx.se/docs/adv_20160803B.htmlhttp://www.debian.org/security/2016/dsa-3638http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.htmlhttp://lists.opensuse.org/opensuse-updates/2016-09/msg00011.htmlhttp://www.securityfocus.com/bid/92309http://www.securitytracker.com/id/1036537http://www.ubuntu.com/usn/USN-3048-1http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059https://source.android.com/security/bulletin/2016-12-01.htmlhttps://www.tenable.com/security/tns-2016-18https://security.gentoo.org/glsa/201701-47http://www.securitytracker.com/id/1036739http://rhn.redhat.com/errata/RHSA-2016-2957.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2575.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttps://access.redhat.com/errata/RHSA-2018:3558https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/https://usn.ubuntu.com/3048-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook