{ "schema_version": "1.5.0", "id": "CURL-CVE-2017-7468", "aliases": [ "CVE-2017-7468" ], "summary": "TLS session resumption client cert bypass (again)", "modified": "2024-07-02T09:22:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2017-7468.json", "www": "https://curl.se/docs/CVE-2017-7468.html", "CWE": { "id": "CWE-305", "desc": "Authentication Bypass by Primary Weakness" }, "last_affected": "7.53.1", "severity": "High" }, "published": "2017-04-19T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.52.0"}, {"fixed": "7.54.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "95c717bbd9c327c38b4efcc37d5cda29b8ee2a36"}, {"fixed": "33cfcfd9f0378625d3bddbd2c8ac5aad4b646f26"} ] } ], "versions": [ "7.53.1", "7.53.0", "7.52.1", "7.52.0" ] } ], "credits": [ { "name": "lijian996 on github", "type": "FINDER" }, { "name": "Ray Satiro", "type": "REMEDIATION_DEVELOPER" } ], "details": "libcurl would attempt to resume a TLS session even if the client certificate\nhad changed. That is unacceptable since a server by specification is allowed\nto skip the client certificate check on resume, and may instead use the old\nidentity which was established by the previous certificate (or no\ncertificate).\n\nlibcurl supports by default the use of TLS session id/ticket to resume\nprevious TLS sessions to speed up subsequent TLS handshakes. They are used\nwhen for any reason an existing TLS connection could not be kept alive to make\nthe next handshake faster.\n\nThis flaw is a regression and identical to\n[CVE-2016-5419](https://curl.se/docs/CVE-2016-5419.html) reported on\nAugust 3rd 2016, but affecting a different version range." }