CVE-2016-7141

Published: 03 October 2016

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.50.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (7.47.0-1ubuntu2.2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.35.0-1ubuntu2.10)
Patches:
Upstream: https://curl.haxx.se/CVE-2016-7141.patch