The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2016-05-20T00:00:00

Updated: 2024-08-06T00:03:34.619Z

Reserved: 2016-03-30T00:00:00

Link: CVE-2016-3739

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2016-05-20T14:59:05.450

Modified: 2024-11-21T02:50:36.647

Link: CVE-2016-3739

cve-icon Redhat

Severity : Moderate

Publid Date: 2016-05-18T00:00:00Z

Links: CVE-2016-3739 - Bugzilla