CVE-2017-2629

Name: CVE-2017-2629
Creator: NVD / NIST
Published: 2018-07-27T19:29:00.44+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.39%

Last modified Jun 17, 2026

CVE-2017-2629 is a vulnerability of currently unknown severity. curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. EPSS estimates a 1.39% chance of exploitation in the next 30 days.

Description

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Metrics

EPSS Probability

1.39%

68.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Haxx	Curl	< 7.53.0

References

http://www.securityfocus.com/bid/96382Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1037871Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629Issue Tracking, Patch, Third Party Advisory
https://curl.haxx.se/docs/adv_20170222.htmlVendor Advisory
https://security.gentoo.org/glsa/201703-04Third Party Advisory
https://www.tenable.com/security/tns-2017-09Third Party Advisory
http://www.securityfocus.com/bid/96382Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1037871Third Party Advisory, VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629Issue Tracking, Patch, Third Party Advisory
https://curl.haxx.se/docs/adv_20170222.htmlVendor Advisory
https://security.gentoo.org/glsa/201703-04Third Party Advisory
https://www.tenable.com/security/tns-2017-09Third Party Advisory

Timeline

Published: Jul 27, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-2629?

How severe is CVE-2017-2629?

Severity scoring for CVE-2017-2629 is pending analysis. The EPSS model estimates a 1.39% probability of exploitation in the next 30 days.

How do I fix CVE-2017-2629?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-2629?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST