Required CVE Record Information
Description
curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
Credits
- Hiroki Kurosawa finder
- Daniel Stenberg remediation developer
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 6 Total
- curl.se: json x_transferred
- curl.se: www x_transferred
- hackerone.com: issue x_transferred
- https://security.netapp.com/advisory/ntap-20240307-0004/ x_transferred
- https://security.netapp.com/advisory/ntap-20240426-0009/ x_transferred
- https://security.netapp.com/advisory/ntap-20240503-0012/ x_transferred