Vulnerability identifier: #VU56613
Vulnerability risk: Medium
Exploitation vector: Network
Exploit availability: No
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error, related to incorrect enforcement of the
--ssl-reqd option on the command line or
CURLOPT_USE_SSL setting set to
CURLUSESSL_ALL with libcurl. A remote attacker with control over the IMAP, POP3 or FTP server can send a specially crafted but perfectly legitimate response to the libcurl client and force it silently to continue its operations without TLS encryption and transmit data in clear text over the network.
Install updates from vendor's website.
Vulnerable software versions
cURL: 7.20.0 - 7.78.0
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.