7.5

CVE-2016-5420

EPSS 1.07%
Published 10.08.2016 14:59:05
Last modified 12.04.2025 10:46:40
Source secalert@redhat.com
Teams watchlist Login
Open Login

curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Affected products Warnungen 0 Metrics 3 CWE 1 References 21

Data is provided by the National Vulnerability Database (NVD)

Debian ≫ Debian Linux Version8.0

Haxx ≫ Libcurl Version <= 7.50.0

Opensuse ≫ Leap Version42.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.07%	0.77

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://rhn.redhat.com/errata/RHSA-2016-2957.html

https://source.android.com/security/bulletin/2016-12-01.html

https://security.gentoo.org/glsa/201701-47

https://www.tenable.com/security/tns-2016-18

http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html

http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2575.html

http://www.debian.org/security/2016/dsa-3638

Third Party Advisory

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059

http://www.ubuntu.com/usn/USN-3048-1

https://access.redhat.com/errata/RHSA-2018:3558

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/

http://www.securityfocus.com/bid/92309

http://www.securitytracker.com/id/1036537

http://www.securitytracker.com/id/1036739

https://curl.haxx.se/docs/adv_20160803B.html

Patch

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2016-5420

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-5420

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-5420

EUVD