CVE-2024-0853: 
MySQL vulnerability analysis and mitigation

curl version 8.5.0 contained a vulnerability where it inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. This vulnerability, identified as CVE-2024-0853, was discovered on December 29, 2023, and publicly disclosed on January 31, 2024. The issue affects curl version 8.5.0 specifically when built with OpenSSL and using TLS 1.2 (Curl Advisory).

The vulnerability is related to improper certificate validation (CWE-295) and occurs when using TLS 1.2 with OpenSSL builds. When a connection's verify status test fails, the SSL session ID remains cached. If the session ID cache is still fresh during a subsequent transfer to the same hostname, it bypasses the verify status check entirely. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability could lead to unauthorized modification of data during TLS connections. When exploited, it allows subsequent connections to bypass OCSP stapling verification, potentially compromising the security of the TLS connection (Curl Advisory).

The vulnerability has been fixed in curl version 8.6.0, released on January 31, 2024. Users are recommended to upgrade to this version or later. Alternative mitigations include not using curl built with OpenSSL or disabling TLS 1.2 for transfers. The fix ensures that if verify status fails, the session ID is not cached (Curl Advisory).