CVE-2020-8286
Description
curl 7.41.0 through 7.73.0 fails to verify the OCSP response certificate ID when using OpenSSL, allowing a compromised server to present a fraudulent OCSP response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
curl 7.41.0 through 7.73.0 fails to verify the OCSP response certificate ID when using OpenSSL, allowing a compromised server to present a fraudulent OCSP response.
Vulnerability
libcurl versions 7.41.0 through 7.73.0, when built with OpenSSL as the TLS backend and with OCSP stapling enabled via CURLOPT_SSL_VERIFYSTATUS (or --cert-status in the curl tool), do not verify that the OCSP response corresponds to the correct certificate. This missing check allows a fraudulent OCSP response to be accepted as valid. OCSP stapling is not enabled by default; it must be explicitly requested by the application. The vulnerability is present only when OpenSSL is the designated TLS backend [4].
Exploitation
An attacker who has compromised a TLS server or can otherwise inject a fraudulent OCSP response during the TLS handshake can supply a response that appears valid, even if the original server certificate has been revoked. No additional user interaction is required beyond the application using OCSP stapling [4].
Impact
Successful exploitation allows an attacker to bypass certificate revocation checking, enabling the use of revoked certificates. This undermines the security guarantees of TLS connections that rely on OCSP stapling. The severity is rated as Medium [4].
Mitigation
The vulnerability is fixed in libcurl version 7.74.0, released on December 9, 2020. Users should upgrade to 7.74.0 or later. Alternatively, applications can avoid relying on OCSP stapling until an upgrade is possible. The fix is implemented in commit d9d01672785b [4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
16- curl/curldescription
- osv-coords14 versionspkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/curl&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/curl-mini&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/curl-mini&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/curl&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 7.60.0-lp151.5.18.1+ 13 more
- (no CPE)range: < 7.60.0-lp151.5.18.1
- (no CPE)range: < 7.66.0-lp152.3.12.1
- (no CPE)range: < 7.79.1-1.1
- (no CPE)range: < 7.60.0-lp151.5.18.1
- (no CPE)range: < 7.66.0-lp152.3.12.1
- (no CPE)range: < 7.60.0-3.35.1
- (no CPE)range: < 7.66.0-4.11.1
- (no CPE)range: < 7.60.0-4.20.1
- (no CPE)range: < 7.60.0-11.9.1
- (no CPE)range: < 7.60.0-4.20.1
- (no CPE)range: < 7.60.0-11.9.1
- (no CPE)range: < 7.60.0-11.9.1
- (no CPE)range: < 7.60.0-4.20.1
- (no CPE)range: < 7.60.0-4.20.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
19- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAEHE2S2QLO4AO4MEEYL75NB7SAH5PSL/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202012-14mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4881mitrevendor-advisoryx_refsource_DEBIAN
- seclists.org/fulldisclosure/2021/Apr/50mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2021/Apr/51mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2021/Apr/54mitremailing-listx_refsource_FULLDISC
- cert-portal.siemens.com/productcert/pdf/ssa-200951.pdfmitrex_refsource_CONFIRM
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfmitrex_refsource_CONFIRM
- curl.se/docs/CVE-2020-8286.htmlmitrex_refsource_MISC
- hackerone.com/reports/1048457mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/12/msg00029.htmlmitremailing-listx_refsource_MLIST
- security.netapp.com/advisory/ntap-20210122-0007/mitrex_refsource_CONFIRM
- support.apple.com/kb/HT212325mitrex_refsource_CONFIRM
- support.apple.com/kb/HT212326mitrex_refsource_CONFIRM
- support.apple.com/kb/HT212327mitrex_refsource_CONFIRM
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuApr2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuapr2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.