Vulnerability Description
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Libcurl | <= 7.50.0 |
| Debian | Debian Linux | 8.0 |
| Opensuse | Leap | 42.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-2575.html
- http://rhn.redhat.com/errata/RHSA-2016-2957.html
- http://www.debian.org/security/2016/dsa-3638Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/92292
- http://www.securityfocus.com/bid/92319
- http://www.securitytracker.com/id/1036538
- http://www.securitytracker.com/id/1038341
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slack
- http://www.ubuntu.com/usn/USN-3048-1
- https://access.redhat.com/errata/RHSA-2018:3558
- https://curl.haxx.se/docs/adv_20160803A.htmlMitigationPatchVendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2016-5419?
CVE-2016-5419 is a vulnerability with a CVSS score of 7.5 (HIGH). curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
How severe is CVE-2016-5419?
CVE-2016-5419 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-5419?
Check the references section above for vendor advisories and patch information. Affected products include: Haxx Libcurl, Debian Debian Linux, Opensuse Leap.