7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.7%
A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to
trick it to keep using HTTP. Using its HSTS support, curl can be instructed
to use HTTPS instead of using an insecure clear-text HTTP step even when
HTTP is provided in the URL. However, the HSTS mechanism could be bypassed
if the host name in the given URL first uses IDN characters that get
replaced to ASCII counterparts as part of the IDN conversion. Like using
the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common
ASCII full stop (U+002E) .
. Then in a subsequent request, it does not
detect the HSTS state and makes a clear text transfer. Because it would
store the info IDN encoded but look for it IDN decoded.
Author | Note |
---|---|
mdeslaur | Affected versions: curl 7.77.0 to and including 7.86.0 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.7%