{"id":"CURL-CVE-2020-8286","summary":"Inferior OCSP verification","details":"libcurl offers \"OCSP stapling\" via the `CURLOPT_SSL_VERIFYSTATUS` option. When\nset, libcurl verifies the OCSP response that a server responds with as part of\nthe TLS handshake. It then aborts the TLS negotiation if something is wrong\nwith the response. The same feature can be enabled with `--cert-status` using\nthe curl tool.\n\nAs part of the OCSP response verification, a client should verify that the\nresponse is indeed set out for the correct certificate. This step was not\nperformed by libcurl when built or told to use OpenSSL as TLS backend.\n\nThis flaw would allow an attacker, who perhaps could have breached a TLS\nserver, to provide a fraudulent OCSP response that would appear fine, instead\nof the real one. Like if the original certificate actually has been revoked.","aliases":["CVE-2020-8286"],"modified":"2024-06-07T13:53:51Z","published":"2020-12-09T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2020-8286.html","issue":"https://hackerone.com/reports/1048457","severity":"Medium","award":{"amount":"900","currency":"USD"},"CWE":{"desc":"Improper Check for Certificate Revocation","id":"CWE-299"},"URL":"https://curl.se/docs/CVE-2020-8286.json","package":"curl","last_affected":"7.73.0","affects":"both"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.41.0"},{"fixed":"7.74.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"d1cf5d570663dac157740cb5e49d24614f185da7"},{"fixed":"d9d01672785b8ac04aab1abb6de95fe3072ae199"}]}],"versions":["7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0"],"database_specific":{"vanir_signatures":[{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["29490024671975672532466697730634192543","150658523040445163626190830043105559351","55615205669380123754686266025723672279","234613321876898012460475911472627079123","288321406062900684107734371386629272506","264366593955683573042451233528712742692","126252179817387251293222630440896362544","268445579308710450553938611634107945279","159501017271339925481190268722142187161","110720987930677197584980753557189731650","276246039001876631780203511128297958061","46532573479005883850301334274783785563","18059021501271731946813844744312774593","269893079348340618975225357537060924133","204844362731750219264952438391176107927","69924972379068336835701470508143960120","319720805141641668895100120074209506774","90356842151597435517206311466491649871","240257619169195329130153327026547575300","39015431980171255097948863549494625678","304277352018877414606395666892430409727","270567144487861548883494757910101325282","227280367406272806843241081675437746124","87827950201090329807184262594553627547","208372214734353540995078252528355509650","261544141291269853241979155370475741653","42657071783486649598942880596466089975","288643654384665480160000248915730714112","24496263137939952869911077367602815022","240277675619420372849450656879831296707","28660092658308721226559085965092688683","154241369911808175951014534780007844234","181373263068516427560703252143604188123","141228069233290945408302367561222566695","336322265995907339848804942957294511919"]},"deprecated":false,"target":{"file":"lib/vtls/openssl.c"},"id":"CURL-CVE-2020-8286-421baf4d","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/d9d01672785b8ac04aab1abb6de95fe3072ae199"},{"signature_type":"Function","digest":{"length":2623,"function_hash":"220771861087475260763616045925501466925"},"deprecated":false,"target":{"file":"lib/vtls/openssl.c","function":"verifystatus"},"id":"CURL-CVE-2020-8286-c34d3359","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/d9d01672785b8ac04aab1abb6de95fe3072ae199"}],"source":"https://curl.se/docs/CURL-CVE-2020-8286.json"}}],"schema_version":"1.7.3","credits":[{"name":"Ospoco","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}