CVE-2013-1944

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.

References

http://curl.haxx.se/docs/adv_20130412.html

http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106606.html

http://lists.opensuse.org/opensuse-updates/2013-06/msg00013.html

http://lists.opensuse.org/opensuse-updates/2013-06/msg00016.html

http://rhn.redhat.com/errata/RHSA-2013-0771.html

http://secunia.com/advisories/53044

http://secunia.com/advisories/53051

http://secunia.com/advisories/53097

http://www.debian.org/security/2012/dsa-2660

http://www.mandriva.com/security/advisories?name=MDVSA-2013:151

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.osvdb.org/92316

http://www.securityfocus.com/bid/59058

http://www.ubuntu.com/usn/USN-1801-1

https://bugzilla.redhat.com/show_bug.cgi?id=950577

https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121

Details

Source: MITRE

Published: 2013-04-29

Updated: 2016-09-09

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:curl:6.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.1:beta:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.3.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.5.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:6.5.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.1.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.2.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.4.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.5.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.5.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.6.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.7.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.8.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.9.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* versions up to 7.29.0 (inclusive)

Configuration 2

OR

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* versions up to 7.29.0 (inclusive)

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
critical
91740OracleVM 3.2 : curl (OVMSA-2016-0056)NessusOracleVM Local Security Checks
medium
80662Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)NessusSolaris Local Security Checks
medium
79602F5 Networks BIG-IP : cURL vulnerability (SOL15875)NessusF5 Networks Local Security Checks
medium
74978openSUSE Security Update : curl (openSUSE-SU-2013:0876-1)NessusSuSE Local Security Checks
medium
72053GLSA-201401-14 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
70561Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)NessusMacOS X Local Security Checks
high
69768Amazon Linux AMI : curl (ALAS-2013-210)NessusAmazon Linux Local Security Checks
medium
68816Oracle Linux 5 / 6 : curl (ELSA-2013-0771)NessusOracle Linux Local Security Checks
medium
67223SuSE 10 Security Update : libcurl4 (ZYPP Patch Number 8618) (BEAST)NessusSuSE Local Security Checks
medium
801394cURL/libcURL 'tailmatch()' Function Information Disclosure VulnerabilityLog Correlation EngineWeb Clients
medium
6905cURL/libcURL 'tailmatch()' Function Information DisclosureNessus Network MonitorWeb Clients
medium
66594Fedora 17 : curl-7.24.0-9.fc17 (2013-7797)NessusFedora Local Security Checks
medium
66436Fedora 18 : curl-7.27.0-10.fc18 (2013-7813)NessusFedora Local Security Checks
medium
66356SuSE 10 Security Update : curl, curl (ZYPP Patch Number 8550)NessusSuSE Local Security Checks
medium
66355SuSE 10 Security Update : compat-curl2 (ZYPP Patch Number 8557)NessusSuSE Local Security Checks
medium
66354SuSE 11.2 Security Update : curl (SAT Patch Number 7633)NessusSuSE Local Security Checks
medium
66324Fedora 18 : curl-7.27.0-9.fc18 (2013-6766)NessusFedora Local Security Checks
medium
66284Fedora 19 : curl-7.29.0-6.fc19 (2013-6780)NessusFedora Local Security Checks
medium
66251Mandriva Linux Security Advisory : curl (MDVSA-2013:151)NessusMandriva Local Security Checks
medium
66226Scientific Linux Security Update : curl on SL5.x, SL6.x i386/x86_64 (20130424)NessusScientific Linux Local Security Checks
medium
66213RHEL 5 / 6 : curl (RHSA-2013:0771)NessusRed Hat Local Security Checks
medium
66206CentOS 5 / 6 : curl (CESA-2013:0771)NessusCentOS Local Security Checks
medium
66165Fedora 19 : curl-7.29.0-5.fc19 (2013-5598)NessusFedora Local Security Checks
medium
66159Debian DSA-2660-1 : curl - exposure of sensitive informationNessusDebian Local Security Checks
medium
66009Fedora 18 : curl-7.27.0-8.fc18 (2013-5618)NessusFedora Local Security Checks
medium
65981Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : curl vulnerability (USN-1801-1)NessusUbuntu Local Security Checks
medium