CVE-2024-0853

Name
CVE-2024-0853
Description
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2024-0853.html
2499f714-1537-4658-8207-48ae4bb9eae9 https://curl.se/docs/CVE-2024-0853.json
2499f714-1537-4658-8207-48ae4bb9eae9 https://hackerone.com/reports/2298922
2499f714-1537-4658-8207-48ae4bb9eae9 https://security.netapp.com/advisory/ntap-20240307-0004/
2499f714-1537-4658-8207-48ae4bb9eae9 https://security.netapp.com/advisory/ntap-20240426-0009/
2499f714-1537-4658-8207-48ae4bb9eae9 https://security.netapp.com/advisory/ntap-20240503-0012/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* curl >= None < 8.6.0
cpe:2.3:a:haxx:curl:8.5.0:*:*:*:*:*:*:* curl == None == 8.5.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
curl 3.16-main 8.5.0-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable