CVE-2024-0853

2024-02-0314:15:50

CWE-295

curl

web.nvd.nist.gov

cve-2024-0853

curl

ssl

session id

cache

verify status

ocsp stapling

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

24.2%

JSON

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to
the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

Affected configurations

Nvd

Node

haxxcurlMatch8.5.0

VendorProductVersionCPE
haxxcurl8.5.0cpe:2.3:a:haxx:curl:8.5.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
haxx	curl	8.5.0	cpe:2.3:a:haxx:curl:8.5.0:::::::*

CNA Affected

[
  {
    "vendor": "curl",
    "product": "curl",
    "versions": [
      {
        "version": "8.5.0",
        "status": "affected",
        "lessThanOrEqual": "8.5.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]