#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: (infosec.exchange)

submitted 2 months ago by harrysintonen@infosec.exchange to c/cybersecurity@fedia.io

5 comments fedilink hide all child comments

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: https://sintonen.fi/advisories/curl-ssh-insufficient-host-identity-verification.txt

#infosec #cybersecurity #nocve

you are viewing a single comment's thread
view the rest of the comments

[-] Dubiousx99@lemmy.world 2 points 2 months ago

This is a good post and article. It actually contains enough information to make an assessment about how this vulnerability equates to risk in our environments. I completely agree with the author that curl requests should fail if they can’t perform validation as defined being the default behavior.

this post was submitted on 05 Feb 2025

14 points (100.0% liked)

Cybersecurity

2 readers

22 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

founded 2 years ago

MODERATORS

shellsharks@fedia.io

tweedge@fedia.io