Executive Summary

This vulnerability in libcurl affects SSH-based transfers using SCP or SFTP when a user specifies a known_hosts file for host verification. Despite specifying a particular known_hosts file, libcurl could mistakenly accept connections to hosts not listed in that file if those hosts were present in the libssh global known_hosts file. This happens because libssh's API falls back to a global known_hosts file if the host is not found in the user-specified file, leading to improper validation of host certificates (CWE-297). The issue affects libcurl versions 7.58.0 through 8.17.0 and was fixed in version 8.18.0. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow libcurl to accept SSH connections to unauthorized or unintended hosts during SCP or SFTP transfers if those hosts are present in the global known_hosts file but not in the user-specified known_hosts file. This could lead to potential man-in-the-middle attacks or unauthorized data transfers, compromising the security of SSH-based file transfers. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade libcurl to version 8.18.0 or later, which contains the fix. Alternatively, you can build curl with the libssh2 backend instead of libssh, or avoid using the SFTP or SCP protocols with vulnerable versions of libcurl (7.58.0 up to and including 8.17.0). [2]

Useful 0 Not Useful 0