Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

cURL/libcurl 7.x < 7.50.1 Multiple Vulnerabilities

High

Synopsis

The host is running a version of cURL/libcurl that is vulnerable to multiple attack vectors.

Description

Versions of cURL and libcurl prior to 7.50.1 are affected by multiple vulnerabilities :

- A flaw exists in 'lib/vtls/vtls.c' due to the program attempting to resume TLS sessions even if the client certificate fails. This may allow a context-dependent attacker to bypass validation mechanisms. (CVE-2016-5419) - A use-after-free error exists in the 'close_all_connections()' function in 'lib/multi.c'. The issue is triggered as connection pointers are not properly cleared for easy handles. This may allow a context-dependent attacker to dereference already freed memory and have an unspecified impact that may potentially include code execution. (CVE-2016-5421)

Solution

Upgrade to cURL/libcurl 7.50.1 or later.