发布时间: 2021年10月15日
修改时间: 2024年10月31日
A flaw was found in curl. The flaw lies in how curl handles cached or pipelined responses that it receives from either a IMAP, POP3, SMTP or FTP server before the TLS upgrade using STARTTLS. In such a scenario curl even after upgrading to TLS would trust these cached responses treating them as valid and authenticated and use them. An attacker could potentially use this flaw to carry out a Man-In-The-Middle attack. The highest threat from this vulnerability is to data confidentiality.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | None | High |
| Attack Vector | Network | Network |
| CVSS评分 | 5.9 | 6.1 |
| Attack Complexity | High | High |
| Privileges Required | None | None |
| Scope | Unchanged | Changed |
| Integrity | High | None |
| User Interaction | None | Required |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2021-1381 | curl security update | 2021年10月15日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-4A | curl | Fixed |
