Cybersecurity

75 readers

30 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

[email protected]

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: (infosec.exchange)

submitted 2 weeks ago by [email protected] to c/[email protected]

5 comments fedilink hide all child comments

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: https://sintonen.fi/advisories/curl-ssh-insufficient-host-identity-verification.txt

#infosec #cybersecurity #nocve

top 5 comments

sorted by: hot top controversial new old

[–] [email protected] 3 points 2 weeks ago

The latest curl version 8.12.0 (released today) is affected.

[–] Dubiousx99 2 points 2 weeks ago

This is a good post and article. It actually contains enough information to make an assessment about how this vulnerability equates to risk in our environments. I completely agree with the author that curl requests should fail if they can’t perform validation as defined being the default behavior.

[–] [email protected] 2 points 2 weeks ago (1 children)

Are there any good curl forks?

[–] [email protected] 2 points 2 weeks ago

@[email protected] Curl will likely address this eventually even though they don't consider it a vulnerability. See https://github.com/curl/curl/issues/16197

[–] [email protected] 1 points 2 weeks ago

@[email protected] nice find, I don't know how curl defines a vulnerability, but it definitely should have more warnings and preferably fail closed, although that might break quite a few systems which depend on this insecure behaviour