Vulnerability Name:

CVE-2007-3564 (CCN-35479)

Assigned:2007-07-10
Published:2007-07-10
Updated:2017-07-29
Summary:libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Bypass Security
References:Source: CCN
Type: cURL Security Advisory (July 10, 2007)
libcurl GnuTLS insufficient cert verification Vulnerability

Source: MITRE
Type: CNA
CVE-2007-3564

Source: CCN
Type: SA26104
cURL/libcURL GnuTLS Security Issue

Source: SECUNIA
Type: Patch, Vendor Advisory
26104

Source: SECUNIA
Type: Patch, Vendor Advisory
26108

Source: SECUNIA
Type: UNKNOWN
26128

Source: SECUNIA
Type: UNKNOWN
26231

Source: MISC
Type: Patch, Vendor Advisory
http://www.curl.haxx.se/docs/adv_20070710.html

Source: DEBIAN
Type: UNKNOWN
DSA-1333

Source: DEBIAN
Type: DSA-1333
libcurl3-gnutls -- missing input validation

Source: CCN
Type: OSVDB ID: 38207
cURL/libcURL with GnuTLS SSL/TLS Certificate Access Restriction Bypass

Source: BID
Type: UNKNOWN
24938

Source: CCN
Type: BID-24938
Curl GnuTLS Certificate Verfication Access Validation Vulnerability

Source: TRUSTIX
Type: UNKNOWN
2007-0023

Source: CCN
Type: USN-484-1
curl vulnerability

Source: UBUNTU
Type: Patch
USN-484-1

Source: VUPEN
Type: UNKNOWN
ADV-2007-2551

Source: XF
Type: UNKNOWN
libcurl-gnutls-weak-security(35479)

Source: XF
Type: UNKNOWN
libcurl-gnutls-weak-security(35479)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:libcurl:libcurl:7.14:*:*:*:*:*:*:*
  • OR cpe:/a:libcurl:libcurl:7.14.1:*:*:*:*:*:*:*
  • OR cpe:/a:libcurl:libcurl:7.15:*:*:*:*:*:*:*
  • OR cpe:/a:libcurl:libcurl:7.15.1:*:*:*:*:*:*:*
  • OR cpe:/a:libcurl:libcurl:7.15.2:*:*:*:*:*:*:*
  • OR cpe:/a:libcurl:libcurl:7.15.3:*:*:*:*:*:*:*
  • OR cpe:/a:libcurl:libcurl:7.16.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:20515
    P
    		DSA-1333-1 curl
    2014-06-23
    oval:org.debian:def:1333
    V
    		missing input validation
    2007-07-18
    BACK
    libcurl libcurl 7.14
    libcurl libcurl 7.14.1
    libcurl libcurl 7.15
    libcurl libcurl 7.15.1
    libcurl libcurl 7.15.2
    libcurl libcurl 7.15.3
    libcurl libcurl 7.16.3