curl and libcurl TLS Requirement Bypass Vulnerability in Connection Reuse

A vulnerability exists in curl and libcurl versions 7.20.0 through 8.19.0, where connections that require TLS incorrectly reuse unencrypted connections from the same pool. This issue arises when an initial transfer is made in clear text using IMAP, SMTP, or POP3. Subsequent requests to the same host can bypass the TLS requirement, leading to unencrypted data transmission. The vulnerability was introduced when clear-text STARTTLS was added to these protocols in curl 7.20.0.

Impact

Exploiting this vulnerability allows a connection that requires TLS to be sent over a previously established clear-text connection, contrary to the user's intention of securing the transmission.

Reproduction

The vulnerability can be reproduced by first establishing a clear-text connection to a mail server using IMAP, SMTP, or POP3. After this connection is open, a subsequent request can be made to the same server that requires TLS, which will incorrectly use the unencrypted connection instead.

Remediation

Users are advised to upgrade to curl and libcurl version 8.20.0, or to apply the patch available in the curl GitHub repository.