Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2016-3739

UNKNOWN
Published 2016-05-20T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2016-3739. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-4rcg-2r46-4hcc

Advisory Details

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-3739
WEB https://curl.haxx.se/CVE-2016-3739.patch
WEB https://curl.haxx.se/changes.html#7_49_0
WEB https://curl.haxx.se/docs/adv_20160518.html
WEB https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
WEB https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
WEB https://security.gentoo.org/glsa/201701-47
WEB http://www.openwall.com/lists/oss-security/2024/03/27/4
WEB http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
WEB http://www.securityfocus.com/bid/90726
WEB http://www.securitytracker.com/id/1035907
WEB http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.495349

Advisory provided by GitHub Security Advisory Database. Published: May 14, 2022, Modified: May 1, 2024

References

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
http://www.securitytracker.com/id/1035907
https://curl.haxx.se/docs/adv_20160518.html
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.495349
http://www.securityfocus.com/bid/90726
https://curl.haxx.se/CVE-2016-3739.patch
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
https://security.gentoo.org/glsa/201701-47
https://curl.haxx.se/changes.html#7_49_0
http://www.openwall.com/lists/oss-security/2024/03/27/4

HackerOne Reports

CVE-2024-2466: TLS certificate check bypass with mbedTLS Medium
frankyueh
curl
Improper Validation of Certificate with Host Mismatch
View Report
Published: 2016-05-20T00:00:00
Last Modified: 2024-08-06T00:03:34.619Z
Copied to clipboard!