Bug 2368887 (CVE-2025-4947)
| Summary: | CVE-2025-4947 libcurl: curl: QUIC certificate check skip with wolfSSL | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, crizzo, csutherl, dbosanac, dfreiber, drow, jburrell, jclere, jmitchel, jreimann, jtanner, kshier, mdessi, mrizzi, mturk, omaciel, pcattana, pjindal, plodge, stcannon, szappis, vkumar, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A vulnerability was found in curl. When using WolfSSL as the TLS library, it skips the certificate verification for QUIC connections when connecting to a host specified as an IP address in the URL. This can result in curl being unable to detect illegitimate servers or man-in-the-middle attacks, potentially leading to unauthorized connections to malicious hosts or the interception of sensitive communications.
This issue only affects instances of curl and libcurl using WolfSSL as the backend TLS library.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-05-28 07:01:08 UTC
|