CVE-2024-0853: OCSP verification bypass with TLS session reuse
First published: Wed Jan 31 2024(Updated: )
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
Credit: 2499f714-1537-4658-8207-48ae4bb9eae9
| Affected Software | Affected Version | How to fix |
|---|---|---|
| =8.5.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/281082
- https://exchange.xforce.ibmcloud.com/vulnerabilities/255804
- https://exchange.xforce.ibmcloud.com/vulnerabilities/217968
- https://www.ibm.com/support/pages/node/7144861 (Advisory)
- https://curl.se/docs/CVE-2024-0853.json
- https://curl.se/docs/CVE-2024-0853.html
- https://hackerone.com/reports/2298922
- https://security.netapp.com/advisory/ntap-20240307-0004/
- https://security.netapp.com/advisory/ntap-20240426-0009/
- https://security.netapp.com/advisory/ntap-20240503-0012/
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-0853
- agent/first-publish-date
- agent/title
- agent/type
- agent/author
- agent/weakness
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/severity
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/tags
- agent/last-modified-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/8.5.0