CVE-2014-0138

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

References

http://curl.haxx.se/docs/adv_20140326A.html

http://lists.opensuse.org/opensuse-updates/2014-04/msg00042.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://secunia.com/advisories/57836

http://secunia.com/advisories/57966

http://secunia.com/advisories/57968

http://secunia.com/advisories/58615

http://secunia.com/advisories/59458

http://www.debian.org/security/2014/dsa-2902

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.ubuntu.com/usn/USN-2167-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www-01.ibm.com/support/docview.wss?uid=swg21675820

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

Details

Source: MITRE

Published: 2014-04-15

Updated: 2018-10-09

Type: CWE-287

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
critical
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
87681VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)NessusMisc.
medium
85148OracleVM 3.3 : curl (OVMSA-2015-0107)NessusOracleVM Local Security Checks
medium
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
79865VMware Security Updates for vCenter Server (VMSA-2014-0012)NessusMisc.
critical
79862ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)NessusMisc.
medium
79762VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilitiesNessusVMware ESX Local Security Checks
medium
76180GLSA-201406-21 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
75339openSUSE Security Update : curl (openSUSE-SU-2014:0598-1)NessusSuSE Local Security Checks
medium
74418Mandriva Linux Security Advisory : curl (MDVSA-2014:110)NessusMandriva Local Security Checks
medium
74408Fedora 19 : mingw-curl-7.37.0-1.fc19 (2014-6921)NessusFedora Local Security Checks
medium
74406Fedora 20 : mingw-curl-7.37.0-1.fc20 (2014-6912)NessusFedora Local Security Checks
medium
74227CentOS 6 : curl (CESA-2014:0561)NessusCentOS Local Security Checks
medium
74208Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20140527)NessusScientific Linux Local Security Checks
medium
74205RHEL 6 : curl (RHSA-2014:0561)NessusRed Hat Local Security Checks
medium
74203Oracle Linux 6 : curl (ELSA-2014-0561)NessusOracle Linux Local Security Checks
medium
74115SuSE 11.3 Security Update : curl (SAT Patch Number 9133)NessusSuSE Local Security Checks
medium
73650Amazon Linux AMI : curl (ALAS-2014-322)NessusAmazon Linux Local Security Checks
medium
73514Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : curl vulnerabilities (USN-2167-1)NessusUbuntu Local Security Checks
medium
73486Debian DSA-2902-1 : curl - security updateNessusDebian Local Security Checks
medium
8178cURL/libcURL 7.x < 7.35.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
73264Fedora 19 : curl-7.29.0-17.fc19 (2014-4449)NessusFedora Local Security Checks
medium
73263Fedora 20 : curl-7.32.0-8.fc20 (2014-4436)NessusFedora Local Security Checks
medium
73247Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2014-086-01)NessusSlackware Local Security Checks
medium