Vulnerability Name:
CVE-2020-8286 (CCN-192856)
Assigned:
2020-12-09
Published:
2020-12-09
Updated:
2022-05-13
Summary:
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVSS v3 Severity:
7.5 High
(CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
)
6.5 Medium
(Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
High
Availibility (A):
None
7.5 High
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
)
6.5 Medium
(CCN Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
High
Availibility (A):
None
7.4 High
(REDHAT CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
)
6.4 Medium
(REDHAT Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
High
Integrity (I):
High
Availibility (A):
None
CVSS v2 Severity:
5.0 Medium
(CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:P/A:N
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
Partial
Availibility (A):
None
7.8 High
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:C/A:N
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
Complete
Availibility (A):
None
Vulnerability Type:
CWE-295
Vulnerability Consequences:
Bypass Security
References:
Source: MITRE
Type: CNA
CVE-2020-8286
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210427 APPLE-SA-2021-04-26-2 macOS Big Sur 11.3
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210427 APPLE-SA-2021-04-26-3 Security Update 2021-002 Catalina
Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210427 APPLE-SA-2021-04-26-4 Security Update 2021-003 Mojave
Source: CONFIRM
Type: Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-200951.pdf
Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Source: CCN
Type: Project curl Security Advisory, December 9th 2020
Inferior OCSP verification
Source: MISC
Type: Vendor Advisory
https://curl.se/docs/CVE-2020-8286.html
Source: XF
Type: UNKNOWN
curl-cve20208286-sec-bypass(192856)
Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://hackerone.com/reports/1048457
Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20201219 [SECURITY] [DLA 2500-1] curl security update
Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-7ab62c73bc
Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-ceaf490686
Source: GENTOO
Type: Third Party Advisory
GLSA-202012-14
Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210122-0007/
Source: CCN
Type: Apple security document HT212325
About the security content of macOS Big Sur 11.3
Source: CCN
Type: Apple security document HT212326
About the security content of Security Update 2021-002 Catalina
Source: CCN
Type: Apple security document HT212327
About the security content of Security Update 2021-003 Mojave
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212325
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212326
Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT212327
Source: DEBIAN
Type: Third Party Advisory
DSA-4881
Source: CCN
Type: IBM Security Bulletin 6409294 (Security QRadar Analyst Workflow)
IBM Security QRadar Analyst Workflow add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6430229 (PowerSC)
Vulnerabilities in Curl affect PowerSC (CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286)
Source: CCN
Type: IBM Security Bulletin 6458643 (Aspera High-Speed Transfer Server (HSTS))
cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285)
Source: CCN
Type: IBM Security Bulletin 6459257 (Aspera High-Speed Transfer Server)
cURL libcurl vulnerabilites impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.0 and earlier (CVE-2020-8284, CVE-2020-8286, CVE-2020-8285)
Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs
Source: CCN
Type: IBM Security Bulletin 6520474 (QRadar SIEM)
IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6574355 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - curl (Multiple CVEs)
Source: N/A
Type: Third Party Advisory
N/A
Source: CCN
Type: Oracle Critical Patch Update Advisory - April 2021
Oracle Critical Patch Update Advisory - April 2021
Source: MISC
Type: Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html
Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021
Vulnerable Configuration:
Configuration 1
:
cpe:/a:haxx:libcurl:*:*:*:*:*:*:*:*
(Version >= 7.41.0 and < 7.74.0)
Configuration 2
:
cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*
OR
cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Configuration 3
:
cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
OR
cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Configuration 4
:
cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*
OR
cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*
Configuration 5
:
cpe:/o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
Configuration 6
:
cpe:/o:netapp:hci_storage_node_firmware:-:*:*:*:*:*:*:*
AND
cpe:/h:netapp:hci_storage_node:-:*:*:*:*:*:*:*
Configuration 7
:
cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:*
(Version < 10.14.6)
OR
cpe:/o:apple:mac_os_x:*:*:*:*:*:*:*:*
(Version >= 10.15 and < 10.15.7)
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-002:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-003:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-004:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-005:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-006:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:-:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:supplemental_update:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2019-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2019-002:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2020-007:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.14.6:security_update_2021-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*
OR
cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
OR
cpe:/o:apple:macos:*:*:*:*:*:*:*:*
(Version >= 11.0 and < 11.3)
Configuration 8
:
cpe:/o:siemens:simatic_tim_1531_irc_firmware:*:*:*:*:*:*:*:*
(Version <= 2.2)
AND
cpe:/h:siemens:simatic_tim_1531_irc:-:*:*:*:*:*:*:*
Configuration 9
:
cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*
(Version < 1.0.1.1)
Configuration 10
:
cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*
OR
cpe:/a:oracle:essbase:21.2:*:*:*:*:*:*:*
OR
cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
Configuration RedHat 1
:
cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
Configuration RedHat 2
:
cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
Configuration CCN 1
:
cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
OR
cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
OR
cpe:/a:ibm:aspera_high-speed_transfer_server:4.0.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:org.opensuse.security:def:7476
P
curl-8.0.1-150400.5.23.1 on GA media (Moderate)
2023-06-12
oval:org.opensuse.security:def:5329
P
Security update for raptor (Moderate)
2022-08-25
oval:org.opensuse.security:def:94467
P
(Important)
2022-07-12
oval:org.opensuse.security:def:3355
P
rrdtool-1.4.7-21.3.27 on GA media (Moderate)
2022-06-28
oval:org.opensuse.security:def:3186
P
libicu-doc-52.1-8.7.1 on GA media (Moderate)
2022-06-28
oval:org.opensuse.security:def:94532
P
curl-7.79.1-150400.3.1 on GA media (Moderate)
2022-06-22
oval:org.opensuse.security:def:2902
P
curl-7.79.1-150400.3.1 on GA media (Moderate)
2022-06-22
oval:org.opensuse.security:def:95154
P
sca-patterns-sle11-1.5.0-150400.1.4 on GA media (Moderate)
2022-06-22
oval:org.opensuse.security:def:38
P
curl-7.66.0-4.14.1 on GA media (Moderate)
2022-06-13
oval:org.opensuse.security:def:967
P
Security update for python-libxml2-python (Important)
2022-03-10
oval:org.opensuse.security:def:112133
P
curl-7.79.1-1.1 on GA media (Moderate)
2022-01-17
oval:org.opensuse.security:def:105669
P
Security update for python-Pygments (Important)
2021-12-01
oval:org.opensuse.security:def:96746
P
perl-XML-LibXML-2.0132-1.20 on GA media (Moderate)
2021-09-21
oval:org.opensuse.security:def:96747
P
policycoreutils-2.8-9.19 on GA media (Moderate)
2021-09-21
oval:org.opensuse.security:def:71797
P
curl-7.66.0-4.14.1 on GA media (Moderate)
2021-08-09
oval:org.opensuse.security:def:100814
P
curl-7.66.0-4.14.1 on GA media (Moderate)
2021-08-09
oval:org.opensuse.security:def:62056
P
curl-7.66.0-4.14.1 on GA media (Moderate)
2021-08-09
oval:org.opensuse.security:def:101180
P
libXvnc-devel-1.9.0-19.9.1 on GA media (Moderate)
2021-08-09
oval:org.opensuse.security:def:101867
P
Security update for postgresql10 (Moderate)
2021-06-14
oval:org.opensuse.security:def:33913
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:88123
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:126709
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:23906
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:88436
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:51894
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:127106
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:89133
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:59478
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:33655
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:125539
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:89391
P
Security update for curl (Moderate)
2021-05-27
oval:org.opensuse.security:def:59736
P
Security update for curl (Moderate)
2021-05-27
oval:com.redhat.rhsa:def:20211610
P
RHSA-2021:1610: curl security and bug fix update (Moderate)
2021-05-18
oval:org.opensuse.security:def:110371
P
Security update for curl (Moderate)
2020-12-14
oval:org.opensuse.security:def:110915
P
Security update for curl (Moderate)
2020-12-13
oval:org.opensuse.security:def:60155
P
Security update for curl (Moderate)
2020-12-10
oval:org.opensuse.security:def:4963
P
Security update for curl (Moderate)
2020-12-10
oval:org.opensuse.security:def:34332
P
Security update for curl (Moderate)
2020-12-10
oval:org.opensuse.security:def:25976
P
Security update for curl (Moderate)
2020-12-10
oval:org.opensuse.security:def:104079
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:64444
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:75763
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:97389
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:91125
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:73397
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:99917
P
(Moderate)
2020-12-09
oval:org.opensuse.security:def:104780
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:66418
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:98090
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:73566
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:117361
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:100254
P
(Moderate)
2020-12-09
oval:org.opensuse.security:def:107846
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:66695
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:5606
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:64275
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:75486
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:100585
P
(Moderate)
2020-12-09
oval:org.opensuse.security:def:108533
P
Security update for curl (Moderate)
2020-12-09
oval:org.opensuse.security:def:90424
P
Security update for curl (Moderate)
2020-12-09
BACK
haxx
libcurl *
fedoraproject
fedora 32
fedoraproject
fedora 33
debian
debian linux 9.0
debian
debian linux 10.0
netapp
clustered data ontap -
netapp
solidfire -
netapp
hci management node -
netapp
hci bootstrap os -
netapp
hci compute node -
netapp
hci storage node firmware -
netapp
hci storage node -
apple
mac os x *
apple
mac os x *
apple
mac os x 10.14.6 security_update_2020-001
apple
mac os x 10.14.6 security_update_2020-002
apple
mac os x 10.14.6 security_update_2020-003
apple
mac os x 10.14.6 security_update_2020-004
apple
mac os x 10.14.6 security_update_2020-005
apple
mac os x 10.14.6 security_update_2020-006
apple
mac os x 10.14.6 -
apple
mac os x 10.15.7 supplemental_update
apple
mac os x 10.14.6 security_update_2019-001
apple
mac os x 10.14.6 security_update_2019-002
apple
mac os x 10.14.6 security_update_2020-007
apple
mac os x 10.14.6 security_update_2021-001
apple
mac os x 10.15.7 -
apple
mac os x 10.15.7 security_update_2020-001
apple
mac os x 10.15.7 security_update_2021-001
apple
macos *
siemens
simatic tim 1531 irc firmware *
siemens
simatic tim 1531 irc -
siemens
sinec infrastructure network services *
oracle
peoplesoft enterprise peopletools 8.58
oracle
communications billing and revenue management 12.0.0.3.0
oracle
essbase 21.2
oracle
communications cloud native core policy 1.14.0
ibm
qradar security information and event manager 7.3
ibm
cloud private 3.2.1 cd
ibm
qradar security information and event manager 7.4 -
ibm
cloud private 3.2.2 cd
ibm
aspera high-speed transfer server 4.0.0
ibm
cloud pak for security 1.7.0.0
ibm
cloud pak for security 1.7.1.0
ibm
cloud pak for security 1.7.2.0
Denotes that component is vulnerable