{"id":"CURL-CVE-2024-0853","summary":"OCSP verification bypass with TLS session reuse","details":"curl inadvertently kept the SSL session ID for connections in its cache even\nwhen the verify status (*OCSP stapling*) test failed. A subsequent transfer to\nthe same hostname could then succeed if the session ID cache was still fresh,\nwhich then skipped the verify status check.","aliases":["CVE-2024-0853"],"modified":"2024-01-31T08:07:21Z","published":"2024-01-31T08:00:00Z","database_specific":{"package":"curl","severity":"Low","URL":"https://curl.se/docs/CVE-2024-0853.json","affects":"both","issue":"https://hackerone.com/reports/2298922","www":"https://curl.se/docs/CVE-2024-0853.html","CWE":{"desc":"Improper Check for Certificate Revocation","id":"CWE-299"},"award":{"currency":"USD","amount":"540"},"last_affected":"8.5.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.5.0"},{"fixed":"8.6.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"395365ad2d9a6c3f1a35d5e268a6af2824129832"},{"fixed":"c28e9478cb2548848eca9b765d0d409bfb18668c"}]}],"versions":["8.5.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"238450730006193140542600700210748384811","length":5025},"source":"https://github.com/curl/curl.git/commit/c28e9478cb2548848eca9b765d0d409bfb18668c","deprecated":false,"signature_type":"Function","id":"CURL-CVE-2024-0853-79861d54","target":{"function":"servercert","file":"lib/vtls/openssl.c"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["114497631425936863817012993526107534880","115198909464429285217625058644659829226","10745843113687217952865983450508381750","237704628286891606960412530438035785442"]},"source":"https://github.com/curl/curl.git/commit/c28e9478cb2548848eca9b765d0d409bfb18668c","deprecated":false,"signature_type":"Line","id":"CURL-CVE-2024-0853-ce49dbcc","target":{"file":"lib/vtls/openssl.c"}}],"source":"https://curl.se/docs/CURL-CVE-2024-0853.json"}}],"schema_version":"1.7.3","credits":[{"name":"Hiroki Kurosawa","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}