CVE-2014-0015

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

References

http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html

http://curl.haxx.se/docs/adv_20140129.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127627.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128408.html

http://lists.opensuse.org/opensuse-updates/2014-02/msg00066.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/56728

http://secunia.com/advisories/56731

http://secunia.com/advisories/56734

http://secunia.com/advisories/56912

http://secunia.com/advisories/59458

http://secunia.com/advisories/59475

http://support.apple.com/kb/HT6296

http://www.debian.org/security/2014/dsa-2849

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/65270

http://www.securitytracker.com/id/1029710

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.502652

http://www.ubuntu.com/usn/USN-2097-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

Details

Source: MITRE

Published: 2014-02-02

Updated: 2018-10-09

Type: CWE-287

Risk Information

CVSS v2

Base Score: 4

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 4.9

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
critical
99203F5 Networks BIG-IP : cURL and libcurl vulnerability (K16704)NessusF5 Networks Local Security Checks
medium
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
87681VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)NessusMisc.
medium
85148OracleVM 3.3 : curl (OVMSA-2015-0107)NessusOracleVM Local Security Checks
medium
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
80662Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)NessusSolaris Local Security Checks
medium
79865VMware Security Updates for vCenter Server (VMSA-2014-0012)NessusMisc.
critical
79862ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)NessusMisc.
medium
79762VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilitiesNessusVMware ESX Local Security Checks
medium
8321Mac OS X < 10.9.4 Multiple Vulnerabilities (Security Update 2014-003)Nessus Network MonitorWeb Clients
critical
76317Mac OS X 10.9.x < 10.9.4 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
75261openSUSE Security Update : curl (openSUSE-SU-2014:0267-1)NessusSuSE Local Security Checks
medium
74418Mandriva Linux Security Advisory : curl (MDVSA-2014:110)NessusMandriva Local Security Checks
medium
74227CentOS 6 : curl (CESA-2014:0561)NessusCentOS Local Security Checks
medium
74208Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20140527)NessusScientific Linux Local Security Checks
medium
74205RHEL 6 : curl (RHSA-2014:0561)NessusRed Hat Local Security Checks
medium
74203Oracle Linux 6 : curl (ELSA-2014-0561)NessusOracle Linux Local Security Checks
medium
72751Amazon Linux AMI : curl (ALAS-2014-295)NessusAmazon Linux Local Security Checks
medium
72516Fedora 19 : curl-7.29.0-13.fc19 (2014-1864)NessusFedora Local Security Checks
medium
72488Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2014-044-01)NessusSlackware Local Security Checks
medium
72278Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : curl vulnerability (USN-2097-1)NessusUbuntu Local Security Checks
medium
72253Fedora 20 : curl-7.32.0-4.fc20 (2014-1876)NessusFedora Local Security Checks
medium
72243SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8796 / 8797)NessusSuSE Local Security Checks
medium
72242SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8796 / 8797)NessusSuSE Local Security Checks
medium
72239Debian DSA-2849-1 : curl - information disclosureNessusDebian Local Security Checks
medium