CVE-2016-3739
MEDIUM5.3EPSS 1.1%Published: 5/20/2016Modified: 4/28/2026
Also known as:DEBIAN-CVE-2016-3739
Description
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
Affected packages (1)
- Debian/curlfrom 0, < 7.50.1-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |