CVE-2020-8286 — HIGH (7.5) — White Hats Nepal

Q: What is CVE-2020-8286?

CVE-2020-8286 is a vulnerability with a CVSS score of 7.5 (HIGH). curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Q: How severe is CVE-2020-8286?

CVE-2020-8286 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-8286?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Libcurl, Fedoraproject Fedora, Debian Debian Linux, Netapp Clustered Data Ontap, Netapp Hci Management Node.

Vulnerability Description

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Haxx	Libcurl	>= 7.41.0, < 7.74.0
Fedoraproject	Fedora	32
Debian	Debian Linux	9.0
Netapp	Clustered Data Ontap	-
Netapp	Hci Management Node	-
Netapp	Solidfire	-
Netapp	Hci Bootstrap Os	-
Netapp	Hci Compute Node	-
Netapp	Hci Storage Node Firmware	-
Netapp	Hci Storage Node	-
Apple	Mac Os X	< 10.14.6
Apple	Macos	>= 11.0, < 11.3
Siemens	Simatic Tim 1531 Irc Firmware	<= 2.2
Siemens	Simatic Tim 1531 Irc	-
Siemens	Sinec Infrastructure Network Services	< 1.0.1.1
Oracle	Communications Billing And Revenue Management	12.0.0.3.0
Oracle	Communications Cloud Native Core Policy	1.14.0
Oracle	Essbase	21.2
Oracle	Peoplesoft Enterprise Peopletools	8.58
Splunk	Universal Forwarder	>= 8.2.0, < 8.2.12

Related Weaknesses (CWE)

CWE-295

References

http://seclists.org/fulldisclosure/2021/Apr/50Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2021/Apr/51Mailing ListThird Party Advisory
http://seclists.org/fulldisclosure/2021/Apr/54Mailing ListThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdfThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfPatchThird Party Advisory
https://curl.se/docs/CVE-2020-8286.htmlVendor Advisory
https://hackerone.com/reports/1048457ExploitPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00029.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://security.gentoo.org/glsa/202012-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/Third Party Advisory
https://support.apple.com/kb/HT212325Third Party Advisory
https://support.apple.com/kb/HT212326Third Party Advisory
https://support.apple.com/kb/HT212327Third Party Advisory

FAQ

What is CVE-2020-8286?

CVE-2020-8286 is a vulnerability with a CVSS score of 7.5 (HIGH). curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

How severe is CVE-2020-8286?

CVE-2020-8286 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-8286?

Check the references section above for vendor advisories and patch information. Affected products include: Haxx Libcurl, Fedoraproject Fedora, Debian Debian Linux, Netapp Clustered Data Ontap, Netapp Hci Management Node.