CURL-CVE-2020-8286

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2020-8286.html

Import Source

https://curl.se/docs/CURL-CVE-2020-8286.json

JSON Data

https://api.test.osv.dev/v1/vulns/CURL-CVE-2020-8286

Aliases

CVE-2020-8286

Published

2020-12-09T08:00:00Z

Modified

2026-05-21T06:00:25.659359317Z

Summary

Inferior OCSP verification

Details

libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool.

As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.

This flaw would allow an attacker, who perhaps could have breached a TLS server, to provide a fraudulent OCSP response that would appear fine, instead of the real one. Like if the original certificate actually has been revoked.

Database specific

{
    "CWE": {
        "id": "CWE-299",
        "desc": "Improper Check for Certificate Revocation"
    },
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2020-8286.html",
    "affects": "both",
    "award": {
        "currency": "USD",
        "amount": "900"
    },
    "URL": "https://curl.se/docs/CVE-2020-8286.json",
    "issue": "https://hackerone.com/reports/1048457",
    "package": "curl",
    "last_affected": "7.73.0"
}

References

Credits

- Ospoco - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.41.0

Fixed

7.74.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

d1cf5d570663dac157740cb5e49d24614f185da7

Fixed

d9d01672785b8ac04aab1abb6de95fe3072ae199

Affected versions

7.*

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

Other

curl-7_41_0

curl-7_42_0

curl-7_42_1

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_51_0

curl-7_52_0

curl-7_52_1

curl-7_53_0

curl-7_53_1

curl-7_54_0

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

curl-7_60_0

curl-7_61_0

curl-7_61_1

curl-7_62_0

curl-7_63_0

curl-7_64_0

curl-7_64_1

curl-7_65_0

curl-7_65_1

curl-7_65_2

curl-7_65_3

curl-7_66_0

curl-7_67_0

curl-7_68_0

curl-7_69_0

curl-7_69_1

curl-7_70_0

curl-7_71_0

curl-7_71_1

curl-7_72_0

curl-7_73_0

tiny-curl-7_72_0

Database specific

source

"https://curl.se/docs/CURL-CVE-2020-8286.json"