CVE-2014-0015

MEDIUM

Description

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

References

http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html

http://curl.haxx.se/docs/adv_20140129.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127627.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128408.html

http://lists.opensuse.org/opensuse-updates/2014-02/msg00066.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/56728

http://secunia.com/advisories/56731

http://secunia.com/advisories/56734

http://secunia.com/advisories/56912

http://secunia.com/advisories/59458

http://secunia.com/advisories/59475

http://support.apple.com/kb/HT6296

http://www.debian.org/security/2014/dsa-2849

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/65270

http://www.securitytracker.com/id/1029710

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.502652

http://www.ubuntu.com/usn/USN-2097-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

Details

Source: MITRE

Published: 2014-02-02

Updated: 2018-10-09

Type: CWE-287

Risk Information

CVSS v2.0

Base Score: 4

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 4.9

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
high
99203F5 Networks BIG-IP : cURL and libcurl vulnerability (K16704)NessusF5 Networks Local Security Checks
medium
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
87681VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)NessusMisc.
medium
85148OracleVM 3.3 : curl (OVMSA-2015-0107)NessusOracleVM Local Security Checks
medium
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
80662Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)NessusSolaris Local Security Checks
medium
79865VMware Security Updates for vCenter Server (VMSA-2014-0012)NessusMisc.
critical
79862ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)NessusMisc.
medium
79762VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilitiesNessusVMware ESX Local Security Checks
medium
8321Mac OS X < 10.9.4 Multiple Vulnerabilities (Security Update 2014-003)Nessus Network MonitorWeb Clients
critical
76317Mac OS X 10.9.x < 10.9.4 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
75261openSUSE Security Update : curl (openSUSE-SU-2014:0267-1)NessusSuSE Local Security Checks
medium
74418Mandriva Linux Security Advisory : curl (MDVSA-2014:110)NessusMandriva Local Security Checks
medium
74227CentOS 6 : curl (CESA-2014:0561)NessusCentOS Local Security Checks
medium
74208Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20140527)NessusScientific Linux Local Security Checks
medium
74205RHEL 6 : curl (RHSA-2014:0561)NessusRed Hat Local Security Checks
medium
74203Oracle Linux 6 : curl (ELSA-2014-0561)NessusOracle Linux Local Security Checks
medium
72751Amazon Linux AMI : curl (ALAS-2014-295)NessusAmazon Linux Local Security Checks
medium
72516Fedora 19 : curl-7.29.0-13.fc19 (2014-1864)NessusFedora Local Security Checks
medium
72488Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2014-044-01)NessusSlackware Local Security Checks
medium
72278Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : curl vulnerability (USN-2097-1)NessusUbuntu Local Security Checks
medium
72253Fedora 20 : curl-7.32.0-4.fc20 (2014-1876)NessusFedora Local Security Checks
medium
72243SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8796 / 8797)NessusSuSE Local Security Checks
medium
72242SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8796 / 8797)NessusSuSE Local Security Checks
medium
72239Debian DSA-2849-1 : curl - information disclosureNessusDebian Local Security Checks
medium