{"id":"CURL-CVE-2011-3389","summary":"SSL CBC IV vulnerability","details":"curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL for\nthe SSL/TLS layer.\n\nThis vulnerability has been identified (CVE-2011-3389 aka the \"BEAST\" attack)\nand is addressed by OpenSSL already as they have made a work-around to\nmitigate the problem. When doing so, they figured out that some servers did\nnot work with the work-around and offered a way to disable it.\n\nThe bit used to disable the workaround was then added to the generic\n`SSL_OP_ALL` bitmask that SSL clients may use to enable workarounds for better\ncompatibility with servers. libcurl uses the SSL_OP_ALL bitmask.\n\nWhile `SSL_OP_ALL` is documented to enable \"rather harmless\" workarounds, it\ndoes in this case effectively enable this security vulnerability again.","aliases":["CVE-2011-3389","PSF-2011-3"],"modified":"2024-09-11T06:13:48.938261Z","published":"2012-01-24T08:00:00Z","database_specific":{"last_affected":"7.23.1","package":"curl","CWE":{"desc":"Improper Enforcement of Message Integrity During Transmission in a Communication Channel","id":"CWE-924"},"URL":"https://curl.se/docs/CVE-2011-3389.json","www":"https://curl.se/docs/CVE-2011-3389.html","affects":"both","severity":"High"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.10.6"},{"fixed":"7.24.0"}]}],"versions":["7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2011-3389.json"}}],"schema_version":"1.7.3","credits":[{"name":"product-security at Apple","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"},{"name":"Yang Tse","type":"OTHER"}]}