minus-squareGabriel N@infosec.exchangetoCybersecurity@fedia.io•#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here:linkfedilinkarrow-up1·5 days ago@harrysintonen@infosec.exchange nice find, I don’t know how curl defines a vulnerability, but it definitely should have more warnings and preferably fail closed, although that might break quite a few systems which depend on this insecure behaviour linkfedilink
@harrysintonen@infosec.exchange nice find, I don’t know how curl defines a vulnerability, but it definitely should have more warnings and preferably fail closed, although that might break quite a few systems which depend on this insecure behaviour