{
  "threat_severity" : "Moderate",
  "public_date" : "2020-12-09T00:00:00Z",
  "bugzilla" : {
    "description" : "curl: Inferior OCSP verification",
    "id" : "1906096",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1906096"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.", "Libcurl offers \"OCSP stapling\" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend." ],
  "affected_release" : [ {
    "product_name" : "JBoss Core Services Apache HTTP Server 2.4.37 SP8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2471",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "jbcs-httpd24-curl"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-0:1-18.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-apr-0:1.6.3-105.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-curl-0:7.77.0-2.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-jansson-0:2.11-55.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-0:1-18.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-jansson-0:2.11-55.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-06-17T00:00:00Z",
    "advisory" : "RHSA-2021:2472",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-05-18T00:00:00Z",
    "advisory" : "RHSA-2021:1610",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "curl-0:7.61.1-18.el8"
  } ],
  "package_state" : [ {
    "product_name" : ".NET Core 2.1 on Red Hat Enterprise Linux",
    "fix_state" : "Not affected",
    "package_name" : "rh-dotnet21-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:2.1"
  }, {
    "product_name" : ".NET Core 3.1 on Red Hat Enterprise Linux",
    "fix_state" : "Not affected",
    "package_name" : "rh-dotnet31-curl",
    "cpe" : "cpe:/a:redhat:rhel_dotnet:3.1"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Out of support scope",
    "package_name" : "curl",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "httpd24-curl",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8286\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8286\nhttps://curl.se/docs/CVE-2020-8286.html" ],
  "name" : "CVE-2020-8286",
  "csaw" : false
}