CVE-2020-8286: High severity apple macos vulnerability

Published Dec 9, 2020
·
Updated

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Other sources

cURL libcurl could allow a remote attacker to bypass security restrictions, caused by improper OCSP response verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to breach a TLS server.

IBM

curl. This issue was addressed with improved checks.

Libcurl offers "OCSP stapling" via the CURLOPTSSLVERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.

Credit

an anonymous researcher, an anonymous researcher, an anonymous researcher

Affected Software

73 affected componentsFixes available
redhat/jbcs-httpd24<0:1-18.el8
0:1-18.el8
redhat/jbcs-httpd24-apr<0:1.6.3-105.el8
0:1.6.3-105.el8
redhat/jbcs-httpd24-apr-util<0:1.6.1-82.el8
0:1.6.1-82.el8
redhat/jbcs-httpd24-brotli<0:1.0.6-40.el8
0:1.0.6-40.el8
redhat/jbcs-httpd24-curl<0:7.77.0-2.el8
0:7.77.0-2.el8
redhat/jbcs-httpd24-httpd<0:2.4.37-74.el8
0:2.4.37-74.el8
redhat/jbcs-httpd24-jansson<0:2.11-55.el8
0:2.11-55.el8
redhat/jbcs-httpd24-nghttp2<0:1.39.2-37.el8
0:1.39.2-37.el8
redhat/jbcs-httpd24-openssl<1:1.1.1g-6.el8
1:1.1.1g-6.el8
redhat/jbcs-httpd24-openssl-chil<0:1.0.0-5.el8
0:1.0.0-5.el8
redhat/jbcs-httpd24-openssl-pkcs11<0:0.4.10-20.el8
0:0.4.10-20.el8
redhat/jbcs-httpd24<0:1-18.jbcs.el7
0:1-18.jbcs.el7
redhat/jbcs-httpd24-apr<0:1.6.3-105.jbcs.el7
0:1.6.3-105.jbcs.el7
redhat/jbcs-httpd24-apr-util<0:1.6.1-82.jbcs.el7
0:1.6.1-82.jbcs.el7
redhat/jbcs-httpd24-curl<0:7.77.0-2.jbcs.el7
0:7.77.0-2.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.37-74.jbcs.el7
0:2.4.37-74.jbcs.el7
redhat/jbcs-httpd24-jansson<0:2.11-55.jbcs.el7
0:2.11-55.jbcs.el7
redhat/curl<0:7.61.1-18.el8
0:7.61.1-18.el8
debian/curl
7.64.0-4+deb10u27.64.0-4+deb10u77.74.0-1.3+deb11u97.74.0-1.3+deb11u107.88.1-10+deb12u37.88.1-10+deb12u48.4.0-2
debian/curl<=7.64.0-4+deb10u1, <=7.72.0-1, <=7.64.0-4
redhat/curl<7.74.0
7.74.0
Apple macOS Big Sur<11.3
11.3
Apple Catalina
Apple Mojave
IBM Cloud Pak for Security (CP4S)<=1.7.2.0
IBM Cloud Pak for Security (CP4S)<=1.7.1.0
IBM Cloud Pak for Security (CP4S)<=1.7.0.0
haxx libcurl>=7.41.0<7.74.0
Fedoraproject Fedora=32
Fedoraproject Fedora=33
Debian Debian Linux=9.0
Debian Debian Linux=10.0
NetApp Clustered Data ONTAP
NetApp Hci Management Node
NetApp Solidfire
All of the following
NetApp Hci Bootstrap Os
NetApp Hci Compute Node
All of the following
NetApp Hci Storage Node Firmware
NetApp Hci Storage Node
Apple iOS and macOS<10.14.6
Apple iOS and macOS>=10.15<10.15.7
Apple iOS and macOS=10.14.6
Apple iOS and macOS=10.14.6-security_update_2019-001
Apple iOS and macOS=10.14.6-security_update_2019-002
Apple iOS and macOS=10.14.6-security_update_2020-001
Apple iOS and macOS=10.14.6-security_update_2020-002
Apple iOS and macOS=10.14.6-security_update_2020-003
Apple iOS and macOS=10.14.6-security_update_2020-004
Apple iOS and macOS=10.14.6-security_update_2020-005
Apple iOS and macOS=10.14.6-security_update_2020-006
Apple iOS and macOS=10.14.6-security_update_2020-007
Apple iOS and macOS=10.14.6-security_update_2021-001
Apple iOS and macOS=10.15.7
Apple iOS and macOS=10.15.7-security_update_2020-001
Apple iOS and macOS=10.15.7-security_update_2021-001
Apple iOS and macOS=10.15.7-supplemental_update
Apple macOS>=11.0<11.3
All of the following
Siemens Simatic Tim 1531 Irc Firmware<=2.2
Siemens Simatic Tim 1531 Irc
Siemens Sinec Infrastructure Network Services<1.0.1.1
Oracle Communications Billing and Revenue Management=12.0.0.3.0
Oracle Communications Cloud Native Core Policy=1.14.0
Oracle Essbase=21.2
Oracle PeopleSoft Enterprise PeopleTools=8.58
Splunk Universal Forwarder>=8.2.0<8.2.12
Splunk Universal Forwarder>=9.0.0<9.0.6
Splunk Universal Forwarder=9.1.0
NetApp Hci Bootstrap Os
NetApp Hci Compute Node
NetApp Hci Storage Node Firmware
NetApp Hci Storage Node
Siemens Simatic Tim 1531 Irc Firmware<=2.2
Siemens Simatic Tim 1531 Irc

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://hackerone.com/reports/1048457

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Event History

Dec 9, 2020
CVE Published
12:00 AM
Dec 14, 2020
CVE Published
via MITRE·07:39 PM
Data Sourced
via MITRE·07:39 PM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the CVE ID of this vulnerability?

CVE-2020-8286

2

What is the severity level of CVE-2020-8286?

High

3

What software is affected by CVE-2020-8286?

curl

4

How can I fix CVE-2020-8286?

Upgrade to version 7.74.0 or later for curl.

5

Where can I find more information about CVE-2020-8286?

You can find more information about CVE-2020-8286 at the following references: [link1](https://support.apple.com/en-us/HT212326), [link2](https://support.apple.com/en-us/HT212327), [link3](https://support.apple.com/en-us/HT212325).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203