The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2016-05-20T00:00:00
Updated: 2024-08-06T00:03:34.619Z
Reserved: 2016-03-30T00:00:00
Link: CVE-2016-3739
Vulnrichment
No data.
NVD
Status : Modified
Published: 2016-05-20T14:59:05.450
Modified: 2024-11-21T02:50:36.647
Link: CVE-2016-3739
Redhat