curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly short-cut the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libcurl | Haxx | 7.63.0 (including) | 7.75.0 (including) |
| JBoss Core Services Apache HTTP Server 2.4.37 SP8 | RedHat | curl | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-0:1-18.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-apr-0:1.6.3-105.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-curl-0:7.77.0-2.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-jansson-0:2.11-55.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs | * |
| JBoss Core Services for RHEL 8 | RedHat | jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-0:1-18.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-jansson-0:2.11-55.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7 | * |
| Curl | Ubuntu | devel | * |
| Curl | Ubuntu | focal | * |
| Curl | Ubuntu | groovy | * |
| Curl | Ubuntu | trusty | * |