#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here:

Harry Sintonen@infosec.exchange · 7 days ago

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here:

Gabriel N@infosec.exchange · 5 days ago

@harrysintonen@infosec.exchange nice find, I don’t know how curl defines a vulnerability, but it definitely should have more warnings and preferably fail closed, although that might break quite a few systems which depend on this insecure behaviour

SatyrSack@feddit.org · 7 days ago

Are there any good curl forks?

Harry Sintonen@infosec.exchange · 6 days ago

@SatyrSack@feddit.org Curl will likely address this eventually even though they don’t consider it a vulnerability. See https://github.com/curl/curl/issues/16197

Harry Sintonen@infosec.exchange · 7 days ago

The latest curl version 8.12.0 (released today) is affected.

Dubiousx99@lemmy.world · 7 days ago

This is a good post and article. It actually contains enough information to make an assessment about how this vulnerability equates to risk in our environments. I completely agree with the author that curl requests should fail if they can’t perform validation as defined being the default behavior.