The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade SLES:15.6
curl
to version 8.6.0-150600.4.12.1 or higher.
Note: Versions mentioned in the description apply only to the upstream curl
package and not the curl
package as distributed by SLES
.
See How to fix?
for SLES:15.6
relevant fixed versions and status.
When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended.
This affects curl using applications that enable HSTS and use URLs with the
insecure HTTP://
scheme and perform transfers with hosts like
x.example.com
as well as example.com
where the first host is a subdomain
of the second host.
(The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.)
When x.example.com
responds with Strict-Transport-Security:
headers, this
bug can make the subdomain's expiry timeout bleed over and get set for the
parent domain example.com
in curl's HSTS cache.
The result of a triggered bug is that HTTP accesses to example.com
get
converted to HTTPS for a different period of time than what was asked for by
the origin server. If example.com
for example stops supporting HTTPS at its
expiry time, curl might then fail to access http://example.com
until the
(wrongly set) timeout expires. This bug can also expire the parent's entry
earlier, thus making curl inadvertently switch back to insecure HTTP earlier
than otherwise intended.