Vulnerability Name:

CVE-2020-8286 (CCN-192856)

Assigned:2020-12-09
Published:2020-12-09
Updated:2022-05-13
Summary:curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
7.4 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
6.4 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-295
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2020-8286

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210427 APPLE-SA-2021-04-26-2 macOS Big Sur 11.3

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210427 APPLE-SA-2021-04-26-3 Security Update 2021-002 Catalina

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210427 APPLE-SA-2021-04-26-4 Security Update 2021-003 Mojave

Source: CONFIRM
Type: Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: CCN
Type: Project curl Security Advisory, December 9th 2020
Inferior OCSP verification

Source: MISC
Type: Vendor Advisory
https://curl.se/docs/CVE-2020-8286.html

Source: XF
Type: UNKNOWN
curl-cve20208286-sec-bypass(192856)

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://hackerone.com/reports/1048457

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-7ab62c73bc

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-ceaf490686

Source: GENTOO
Type: Third Party Advisory
GLSA-202012-14

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/

Source: CCN
Type: Apple security document HT212325
About the security content of macOS Big Sur 11.3

Source: CCN
Type: Apple security document HT212326
About the security content of Security Update 2021-002 Catalina

Source: CCN
Type: Apple security document HT212327
About the security content of Security Update 2021-003 Mojave

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212325

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212326

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212327

Source: DEBIAN
Type: Third Party Advisory
DSA-4881

Source: CCN
Type: IBM Security Bulletin 6409294 (Security QRadar Analyst Workflow)
IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6430229 (PowerSC)
Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286)

Source: CCN
Type: IBM Security Bulletin 6458643 (Aspera High-Speed Transfer Server (HSTS))
cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285)

Source: CCN
Type: IBM Security Bulletin 6459257 (Aspera High-Speed Transfer Server)
cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285)

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6520474 (QRadar SIEM)
IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6574355 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - curl (Multiple CVEs)

Source: N/A
Type: Third Party Advisory
N/A

Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Vulnerable Configuration:Configuration 1:
  • cpe:/a:haxx:libcurl:*:*:*:*:*:*:*:* (Version >= 7.41.0 and < 7.74.0)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:netapp:hci_storage_node_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:netapp:hci_storage_node:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:* (Version < 10.14.6)
  • OR cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:* (Version >= 10.15 and < 10.15.7)
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-002:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-003:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-004:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-005:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-006:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:-:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:supplemental_update:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2019-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2019-002:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-007:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.14.6:security_update_2021-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
  • OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.3)

    • Configuration 8:
  • cpe:/o:siemens:simatic_tim_1531_irc_firmware:*:*:*:*:*:*:*:* (Version <= 2.2)
  • AND
  • cpe:/h:siemens:simatic_tim_1531_irc:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

    • Configuration 10:
  • cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:essbase:21.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:aspera_high-speed_transfer_server:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7476
    P
    		curl-8.0.1-150400.5.23.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:5329
    P
    		Security update for raptor (Moderate)
    2022-08-25
    oval:org.opensuse.security:def:94467
    P
    		 (Important)
    2022-07-12
    oval:org.opensuse.security:def:3355
    P
    		rrdtool-1.4.7-21.3.27 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3186
    P
    		libicu-doc-52.1-8.7.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94532
    P
    		curl-7.79.1-150400.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2902
    P
    		curl-7.79.1-150400.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95154
    P
    		sca-patterns-sle11-1.5.0-150400.1.4 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:38
    P
    		curl-7.66.0-4.14.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:967
    P
    		Security update for python-libxml2-python (Important)
    2022-03-10
    oval:org.opensuse.security:def:112133
    P
    		curl-7.79.1-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105669
    P
    		Security update for python-Pygments (Important)
    2021-12-01
    oval:org.opensuse.security:def:96746
    P
    		perl-XML-LibXML-2.0132-1.20 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:96747
    P
    		policycoreutils-2.8-9.19 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71797
    P
    		curl-7.66.0-4.14.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100814
    P
    		curl-7.66.0-4.14.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62056
    P
    		curl-7.66.0-4.14.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101180
    P
    		libXvnc-devel-1.9.0-19.9.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101867
    P
    		Security update for postgresql10 (Moderate)
    2021-06-14
    oval:org.opensuse.security:def:33913
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:88123
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:126709
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:23906
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:88436
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:51894
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:127106
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:89133
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:59478
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:33655
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:125539
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:89391
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:59736
    P
    		Security update for curl (Moderate)
    2021-05-27
    oval:com.redhat.rhsa:def:20211610
    P
    		RHSA-2021:1610: curl security and bug fix update (Moderate)
    2021-05-18
    oval:org.opensuse.security:def:110371
    P
    		Security update for curl (Moderate)
    2020-12-14
    oval:org.opensuse.security:def:110915
    P
    		Security update for curl (Moderate)
    2020-12-13
    oval:org.opensuse.security:def:60155
    P
    		Security update for curl (Moderate)
    2020-12-10
    oval:org.opensuse.security:def:4963
    P
    		Security update for curl (Moderate)
    2020-12-10
    oval:org.opensuse.security:def:34332
    P
    		Security update for curl (Moderate)
    2020-12-10
    oval:org.opensuse.security:def:25976
    P
    		Security update for curl (Moderate)
    2020-12-10
    oval:org.opensuse.security:def:104079
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:64444
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:75763
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:97389
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:91125
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:73397
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:99917
    P
    		 (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:104780
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:66418
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:98090
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:73566
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:117361
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:100254
    P
    		 (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:107846
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:66695
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:5606
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:64275
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:75486
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:100585
    P
    		 (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:108533
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:90424
    P
    		Security update for curl (Moderate)
    2020-12-09
    BACK
    haxx libcurl *
    fedoraproject fedora 32
    fedoraproject fedora 33
    debian debian linux 9.0
    debian debian linux 10.0
    netapp clustered data ontap -
    netapp solidfire -
    netapp hci management node -
    netapp hci bootstrap os -
    netapp hci compute node -
    netapp hci storage node firmware -
    netapp hci storage node -
    apple mac os x *
    apple mac os x *
    apple mac os x 10.14.6 security_update_2020-001
    apple mac os x 10.14.6 security_update_2020-002
    apple mac os x 10.14.6 security_update_2020-003
    apple mac os x 10.14.6 security_update_2020-004
    apple mac os x 10.14.6 security_update_2020-005
    apple mac os x 10.14.6 security_update_2020-006
    apple mac os x 10.14.6 -
    apple mac os x 10.15.7 supplemental_update
    apple mac os x 10.14.6 security_update_2019-001
    apple mac os x 10.14.6 security_update_2019-002
    apple mac os x 10.14.6 security_update_2020-007
    apple mac os x 10.14.6 security_update_2021-001
    apple mac os x 10.15.7 -
    apple mac os x 10.15.7 security_update_2020-001
    apple mac os x 10.15.7 security_update_2021-001
    apple macos *
    siemens simatic tim 1531 irc firmware *
    siemens simatic tim 1531 irc -
    siemens sinec infrastructure network services *
    oracle peoplesoft enterprise peopletools 8.58
    oracle communications billing and revenue management 12.0.0.3.0
    oracle essbase 21.2
    oracle communications cloud native core policy 1.14.0
    ibm qradar security information and event manager 7.3
    ibm cloud private 3.2.1 cd
    ibm qradar security information and event manager 7.4 -
    ibm cloud private 3.2.2 cd
    ibm aspera high-speed transfer server 4.0.0
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0