Published: 14/12/2020 Updated: 27/03/2024

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

curl 7.41.0 up to and including 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Vulnerable Product	Search on Vulmon	Subscribe to Product
haxx libcurl
fedoraproject fedora 32
fedoraproject fedora 33
debian debian linux 9.0
debian debian linux 10.0
netapp clustered data ontap -
netapp solidfire -
netapp hci management node -
netapp hci_bootstrap_os -
netapp hci_storage_node_firmware -
apple mac os x
apple mac os x 10.14.6
apple mac os x 10.15.7
apple macos
siemens simatic_tim_1531_irc_firmware
siemens sinec infrastructure network services
oracle peoplesoft enterprise peopletools 8.58
oracle communications billing and revenue management 12.0.0.3.0
oracle essbase 21.2
oracle communications cloud native core policy 1.14.0
splunk universal forwarder 9.1.0
splunk universal forwarder

Debian Bug report logs - #977161 curl: CVE-2020-8286: Inferior OCSP verification Package: src:curl; Maintainer for src:curl is Alessandro Ghedini <ghedo@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 11 Dec 2020 22:09:01 UTC Severity: important Tags: security, upstream Found in version ...

Multiple vulnerabilities were discovered in cURL, an URL transfer library: CVE-2020-8169 Marek Szlagor reported that libcurl could be tricked into prepending a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s) CVE-2020-8177 sn reporte ...

A flaw was found in libcurl from versions 7290 through 7711 An application that performs multiple requests with libcurl's multi API, and sets the `CURLOPT_CONNECT_ONLY` option, might experience libcurl using the wrong connection The highest threat from this vulnerability is to data confidentiality (CVE-2020-8231) A malicious server can use t ...

A security issue was found in curl versions 7410 up to and including 7730 libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake It then aborts the TLS negotiation if something is wrong with the response The same feature can ...

Critical Infrastructure Sectors: Energy

Critical Infrastructure Sectors: Critical Manufacturing

Full Disclosure mailing list archives   By Date By Thread </form>    APPLE-SA-2021-04-26-2 macOS Big Sur 113   From: Apple Product Se ...

oss-sec mailing list archives   By Date By Thread </form>    [SECURITY ADVISORY] curl: Inferior OCSP verification   From: Daniel Stenb ...

ecr-api This API provides simple restful API access to a service Endpoints GET /v1/ecr/ping GET /v1/ecr/version GET /v1/ecr/metrics GET /v1/ecr/{account}/repositories POST /v1/ecr/{account}/repositories/{group} GET /v1/ecr/{account}/repositories/{group} GET /v1/ecr/{account}/repositories/{group}/{name} PUT /v1/ecr/{account}/repositories/{group}/{name} DELETE /v1

Sample configuration for HTTP and Network mTLS using envoy yaml

Envoy mTLS Sample configuration for HTTP and Network mTLS using envoy yaml This demonstrates two types of mtls validation for the Downstream client (client -> envoy_server): envoytransport_socketstls client -> (mTLS) -> envoy -> (TLS) -> upstream envoyfiltersnetworkclient_ssl

CWE-295 https://hackerone.com/reports/1048457 https://curl.se/docs/CVE-2020-8286.html https://lists.debian.org/debian-lts-announce/2020/12/msg00029.html https://security.gentoo.org/glsa/202012-14 https://security.netapp.com/advisory/ntap-20210122-0007/https://www.debian.org/security/2021/dsa-4881 https://support.apple.com/kb/HT212325 https://support.apple.com/kb/HT212326 https://support.apple.com/kb/HT212327 http://seclists.org/fulldisclosure/2021/Apr/51 http://seclists.org/fulldisclosure/2021/Apr/54 http://seclists.org/fulldisclosure/2021/Apr/50 https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com//security-alerts/cpujul2021.html https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://www.oracle.com/security-alerts/cpuapr2022.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977161 https://nvd.nist.gov https://github.com/salrashid123/envoy_mtls https://www.cisa.gov/uscert/ics/advisories/icsa-22-069-09 https://www.debian.org/security/2021/dsa-4881

CVE-2020-8286

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

ICS Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect