CVE-2014-0139

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

References

http://advisories.mageia.org/MGASA-2015-0165.html

http://curl.haxx.se/docs/adv_20140326B.html

http://lists.opensuse.org/opensuse-updates/2014-04/msg00042.html

http://secunia.com/advisories/57836

http://secunia.com/advisories/57966

http://secunia.com/advisories/57968

http://secunia.com/advisories/58615

http://secunia.com/advisories/59458

http://www.debian.org/security/2014/dsa-2902

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

http://www.mandriva.com/security/advisories?name=MDVSA-2015:213

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.ubuntu.com/usn/USN-2167-1

http://www-01.ibm.com/support/docview.wss?uid=swg21675820

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

Details

Source: MITRE

Published: 2014-04-15

Updated: 2017-12-16

Type: CWE-310

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
137468EulerOS 2.0 SP2 : curl (EulerOS-SA-2020-1626)NessusHuawei Local Security Checks
critical
123858EulerOS Virtualization 2.5.3 : curl (EulerOS-SA-2019-1172)NessusHuawei Local Security Checks
critical
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83155Mandriva Linux Security Advisory : lftp (MDVSA-2015:213)NessusMandriva Local Security Checks
medium
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
81784IBM Rational ClearQuest 7.1.x < 7.1.2.16 / 8.0.0.x < 8.0.0.13 / 8.0.1.x < 8.0.1.6 Multiple Vulnerabilities (credentialed check) (POODLE)NessusWindows
medium
76180GLSA-201406-21 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
75339openSUSE Security Update : curl (openSUSE-SU-2014:0598-1)NessusSuSE Local Security Checks
medium
74418Mandriva Linux Security Advisory : curl (MDVSA-2014:110)NessusMandriva Local Security Checks
medium
74408Fedora 19 : mingw-curl-7.37.0-1.fc19 (2014-6921)NessusFedora Local Security Checks
medium
74406Fedora 20 : mingw-curl-7.37.0-1.fc20 (2014-6912)NessusFedora Local Security Checks
medium
74115SuSE 11.3 Security Update : curl (SAT Patch Number 9133)NessusSuSE Local Security Checks
medium
73514Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : curl vulnerabilities (USN-2167-1)NessusUbuntu Local Security Checks
medium
73486Debian DSA-2902-1 : curl - security updateNessusDebian Local Security Checks
medium
8178cURL/libcURL 7.x < 7.35.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
medium
73247Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2014-086-01)NessusSlackware Local Security Checks
medium