CVE-2014-3613

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

References

http://curl.haxx.se/docs/adv_20140910A.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html

http://rhn.redhat.com/errata/RHSA-2015-1254.html

http://www.debian.org/security/2014/dsa-3022

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.securityfocus.com/bid/69748

https://support.apple.com/kb/HT205031

Details

Source: MITRE

Published: 2014-11-18

Updated: 2018-01-05

Type: CWE-310

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* versions up to 7.37.1 (inclusive)

Configuration 2

OR

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:* versions up to 7.37.1 (inclusive)

Configuration 3

OR

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:* versions up to 10.10.4 (inclusive)

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
critical
87554Scientific Linux Security Update : curl on SL7.x x86_64 (20151119)NessusScientific Linux Local Security Checks
medium
87138CentOS 7 : curl (CESA-2015:2159)NessusCentOS Local Security Checks
medium
87028Oracle Linux 7 : curl (ELSA-2015-2159)NessusOracle Linux Local Security Checks
medium
86934RHEL 7 : curl (RHSA-2015:2159)NessusRed Hat Local Security Checks
medium
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85191Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20150722)NessusScientific Linux Local Security Checks
medium
85148OracleVM 3.3 : curl (OVMSA-2015-0107)NessusOracleVM Local Security Checks
medium
85096Oracle Linux 6 : curl (ELSA-2015-1254)NessusOracle Linux Local Security Checks
medium
85009CentOS 6 : curl (CESA-2015:1254)NessusCentOS Local Security Checks
medium
84912RHEL 6 : curl (RHSA-2015:1254)NessusRed Hat Local Security Checks
medium
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
82209Debian DLA-64-1 : curl security updateNessusDebian Local Security Checks
medium
81121SuSE 11.3 Security Update : curl (SAT Patch Number 10166)NessusSuSE Local Security Checks
medium
80663Oracle Solaris Third-Party Patch Update : libcurl (cve_2014_3613_cookie_leak)NessusSolaris Local Security Checks
medium
80325Fedora 21 : mingw-curl-7.39.0-1.fc21 (2014-17601)NessusFedora Local Security Checks
medium
80324Fedora 20 : mingw-curl-7.39.0-1.fc20 (2014-17596)NessusFedora Local Security Checks
medium
78350Amazon Linux AMI : curl (ALAS-2014-407)NessusAmazon Linux Local Security Checks
medium
78093Fedora 19 : curl-7.29.0-23.fc19 (2014-10714)NessusFedora Local Security Checks
medium
77887Mandriva Linux Security Advisory : curl (MDVSA-2014:187)NessusMandriva Local Security Checks
medium
77792Fedora 21 : curl-7.37.0-7.fc21 (2014-10679)NessusFedora Local Security Checks
medium
77734openSUSE Security Update : curl (openSUSE-SU-2014:1139-1)NessusSuSE Local Security Checks
medium
77701Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : curl vulnerabilities (USN-2346-1)NessusUbuntu Local Security Checks
medium
77677Fedora 20 : curl-7.32.0-13.fc20 (2014-10741)NessusFedora Local Security Checks
medium
8385cURL/libcURL 7.x < 7.38.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
low
77611Debian DSA-3022-1 : curl - security updateNessusDebian Local Security Checks
medium