6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.8%
When compiled --with-libmetalink
and used with --metalink
curl does check the cryptographics hash of the downloaded files. However, the only indication that the hash was incorrect is a message displayed to the user. The files with incorrect hashes are left to the disk as-is.
Since curl implements the hash validation and reports incorrect hashes there might be an expectation that files with incorrect hashes would not be kept either. Since the metalink can be used with insecure protocols such as http and ftp, the hash validation might be used an actual way to verify the download integrity against tampering.
1.Configure libcurl --with-libmetalink
and build libcurl
2. Have metalinktest.xml with <file name="testfile">
containing incorrect sha-256 hash for it.
3. Execute: curl --metalink https://testsite/metalinktest.xml
The following message will be displayed:
Metalink: validating (testfile) [sha-256] FAILED (digest mismatch)
Yet, the downloaded file testfile
with incorrect hash mismatch is kept.
It might be more sensible to download the file to a temporary name first, verify the hash and only then store the file to final name if the hash is correct. If hash mismatch is found remove the temporary file.
Modified or tampered files are kept and possibly incorrectly assumed valid
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
64.8%