#cURL doesn’t validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: https://sintonen.fi/advisories/curl-ssh-insufficient-host-identity-verification.txt
#infosec #cybersecurity #nocve
You must log in or register to comment.
This is a good post and article. It actually contains enough information to make an assessment about how this vulnerability equates to risk in our environments. I completely agree with the author that curl requests should fail if they can’t perform validation as defined being the default behavior.
The latest curl version 8.12.0 (released today) is affected.
