The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
Base Score: 5
Impact Score: 2.9
Exploitability Score: 10
Base Score: 7.5
Impact Score: 3.6
Exploitability Score: 3.9
cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* versions from 7.52.0 to 7.53.1 (inclusive)
|106504||pfSense < 2.3.4 Multiple Vulnerabilities (SA-17_04)||Nessus||Firewalls|
|103282||GLSA-201709-14 : cURL: Multiple vulnerabilities||Nessus||Gentoo Local Security Checks|
|700170||Mac OS X 10.x < 10.12.6 Multiple Vulnerabilities||Nessus Network Monitor||Operating System Detection|
|101957||macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-003)||Nessus||MacOS X Local Security Checks|
|101616||Fedora 26 : curl (2017-3eec07cb06)||Nessus||Fedora Local Security Checks|
|99582||Ubuntu 17.04 : curl vulnerability (USN-3262-1)||Nessus||Ubuntu Local Security Checks|
|99552||FreeBSD : cURL -- TLS session resumption client cert bypass (again) (3e2e9b44-25ce-11e7-a175-939b30e0836d)||Nessus||FreeBSD Local Security Checks|