When a libcurl-based application performs transfers via SCP:// or SFTP://
and utilizes the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an
untrusted server. This vulnerability occurs when a server presents a host key
type that does not match the specific key type already recorded for that host
in the known_hosts file. Instead of rejecting the mismatch, the callback
mechanism fails to properly enforce the restriction, allowing the connection
to succeed without warning and risking a potential man-in-the-middle attack.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Curl | Haxx | 7.69.0 (including) | 8.21.0 (excluding) |
| Red Hat Hardened Images | RedHat | rust-main-1.96.1-1.hum1 | * |
| Curl | Ubuntu | devel | * |
| Curl | Ubuntu | jammy | * |
| Curl | Ubuntu | noble | * |
| Curl | Ubuntu | questing | * |
| Curl | Ubuntu | resolute | * |
| Curl | Ubuntu | upstream | * |