Insecure Connection Processing

2020-08-2004:14:02

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

libcurl.so does not securely handle connections. An application that performs multiple requests with the multi API and sets the CURLOPT_CONNECT_ONLY option when using the setup connect-only transfer, could potentially use the wrong connection and and utilize another connection that was created.

CPENameOperatorVersion
libcurl.sole4.6.0
curl:focaleq7.68.0-1ubuntu2
curl:xenialeq7.47.0-1ubuntu2
curl:bioniceq7.58.0-2ubuntu3
curl:stretcheq7.52.1-5+deb9u10
curl:3.10eq7.66.0-r0
curl:3.12eq7.69.1-r0
curl:3.11eq7.67.0-r0
curleq7.64.0-r3
curl:groovyeq7.68.0-1ubuntu4

Name	Operator	Version
libcurl.so	le	4.6.0
curl:focal	eq	7.68.0-1ubuntu2
curl:xenial	eq	7.47.0-1ubuntu2
curl:bionic	eq	7.58.0-2ubuntu3
curl:stretch	eq	7.52.1-5+deb9u10
curl:3.10	eq	7.66.0-r0
curl:3.12	eq	7.69.1-r0
curl:3.11	eq	7.67.0-r0
curl	eq	7.64.0-r3
curl:groovy	eq	7.68.0-1ubuntu4