CVE-2014-3707MEDIUM
Description
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.
References
http://curl.haxx.se/docs/adv_20141105.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html
http://rhn.redhat.com/errata/RHSA-2015-1254.html
http://www.debian.org/security/2014/dsa-3069
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/70988
Vulnerable Software
Configuration 1
OR
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Configuration 2
OR
cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.10.1:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x:10.10.2:*:*:*:*:*:*:*
Configuration 3
OR
Configuration 4
OR
Configuration 5
OR
Configuration 6
OR
cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*
cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 125003 | EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1550) | Nessus | Huawei Local Security Checks | high |
| 87554 | Scientific Linux Security Update : curl on SL7.x x86_64 (20151119) | Nessus | Scientific Linux Local Security Checks | medium |
| 87138 | CentOS 7 : curl (CESA-2015:2159) | Nessus | CentOS Local Security Checks | medium |
| 87028 | Oracle Linux 7 : curl (ELSA-2015-2159) | Nessus | Oracle Linux Local Security Checks | medium |
| 86934 | RHEL 7 : curl (RHSA-2015:2159) | Nessus | Red Hat Local Security Checks | medium |
| 8981 | Mac OS X < 10.10.5 Multiple Vulnerabilities | Nessus Network Monitor | Operating System Detection | high |
| 85408 | Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | high |
| 85191 | Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20150722) | Nessus | Scientific Linux Local Security Checks | medium |
| 85148 | OracleVM 3.3 : curl (OVMSA-2015-0107) | Nessus | OracleVM Local Security Checks | medium |
| 85096 | Oracle Linux 6 : curl (ELSA-2015-1254) | Nessus | Oracle Linux Local Security Checks | medium |
| 85009 | CentOS 6 : curl (CESA-2015:1254) | Nessus | CentOS Local Security Checks | medium |
| 84912 | RHEL 6 : curl (RHSA-2015:1254) | Nessus | Red Hat Local Security Checks | medium |
| 83668 | SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0083-1) | Nessus | SuSE Local Security Checks | medium |
| 82351 | Mandriva Linux Security Advisory : curl (MDVSA-2015:098) | Nessus | Mandriva Local Security Checks | medium |
| 82229 | Debian DLA-84-1 : curl security update | Nessus | Debian Local Security Checks | medium |
| 81323 | Amazon Linux AMI : curl (ALAS-2015-477) | Nessus | Amazon Linux Local Security Checks | medium |
| 81287 | openSUSE Security Update : curl (openSUSE-2015-125) | Nessus | SuSE Local Security Checks | medium |
| 81121 | SuSE 11.3 Security Update : curl (SAT Patch Number 10166) | Nessus | SuSE Local Security Checks | medium |
| 80664 | Oracle Solaris Third-Party Patch Update : libcurl (cve_2014_3707_information_disclosure) | Nessus | Solaris Local Security Checks | medium |
| 80337 | Fedora 19 : curl-7.29.0-27.fc19 (2014-16690) | Nessus | Fedora Local Security Checks | medium |
| 80325 | Fedora 21 : mingw-curl-7.39.0-1.fc21 (2014-17601) | Nessus | Fedora Local Security Checks | medium |
| 80324 | Fedora 20 : mingw-curl-7.39.0-1.fc20 (2014-17596) | Nessus | Fedora Local Security Checks | medium |
| 79951 | Fedora 21 : curl-7.37.0-11.fc21 (2014-16605) | Nessus | Fedora Local Security Checks | medium |
| 79950 | Fedora 20 : curl-7.32.0-17.fc20 (2014-16538) | Nessus | Fedora Local Security Checks | medium |
| 79655 | Fedora 20 : curl-7.32.0-16.fc20 (2014-15706) | Nessus | Fedora Local Security Checks | medium |
| 79321 | Mandriva Linux Security Advisory : curl (MDVSA-2014:213) | Nessus | Mandriva Local Security Checks | medium |
| 79119 | Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : curl vulnerability (USN-2399-1) | Nessus | Ubuntu Local Security Checks | medium |
| 79100 | Fedora 20 : curl-7.32.0-15.fc20 (2014-14354) | Nessus | Fedora Local Security Checks | medium |
| 79099 | Fedora 21 : curl-7.37.0-9.fc21 (2014-14338) | Nessus | Fedora Local Security Checks | medium |
| 8565 | cURL/libcURL 7.x < 7.39.0 'curl_easy_duphandle()' Out-of-Bounds Read Issue | Nessus Network Monitor | Web Clients | medium |
| 79065 | Debian DSA-3069-1 : curl - security update | Nessus | Debian Local Security Checks | medium |