CVE-2014-3707

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information.

References

http://curl.haxx.se/docs/adv_20141105.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html

http://rhn.redhat.com/errata/RHSA-2015-1254.html

http://www.debian.org/security/2014/dsa-3069

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.securityfocus.com/bid/70988

http://www.ubuntu.com/usn/USN-2399-1

https://support.apple.com/kb/HT205031

Details

Source: MITRE

Published: 2014-11-15

Updated: 2018-10-30

Type: CWE-200

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:apple:mac_os_x:10.10.0:*:*:*:*:*:*:*

cpe:2.3:o:apple:mac_os_x:10.10.1:*:*:*:*:*:*:*

cpe:2.3:o:apple:mac_os_x:10.10.2:*:*:*:*:*:*:*

cpe:2.3:o:apple:mac_os_x:10.10.3:*:*:*:*:*:*:*

cpe:2.3:o:apple:mac_os_x:10.10.4:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:oracle:hyperion:11.1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:hyperion:11.1.2.3:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.37.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.38.0:*:*:*:*:*:*:*

Tenable Plugins

View all (31 total)

IDNameProductFamilySeverity
125003EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1550)NessusHuawei Local Security Checks
critical
87554Scientific Linux Security Update : curl on SL7.x x86_64 (20151119)NessusScientific Linux Local Security Checks
medium
87138CentOS 7 : curl (CESA-2015:2159)NessusCentOS Local Security Checks
medium
87028Oracle Linux 7 : curl (ELSA-2015-2159)NessusOracle Linux Local Security Checks
medium
86934RHEL 7 : curl (RHSA-2015:2159)NessusRed Hat Local Security Checks
medium
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85191Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20150722)NessusScientific Linux Local Security Checks
medium
85148OracleVM 3.3 : curl (OVMSA-2015-0107)NessusOracleVM Local Security Checks
medium
85096Oracle Linux 6 : curl (ELSA-2015-1254)NessusOracle Linux Local Security Checks
medium
85009CentOS 6 : curl (CESA-2015:1254)NessusCentOS Local Security Checks
medium
84912RHEL 6 : curl (RHSA-2015:1254)NessusRed Hat Local Security Checks
medium
83668SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0083-1)NessusSuSE Local Security Checks
medium
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
82229Debian DLA-84-1 : curl security updateNessusDebian Local Security Checks
medium
81323Amazon Linux AMI : curl (ALAS-2015-477)NessusAmazon Linux Local Security Checks
medium
81287openSUSE Security Update : curl (openSUSE-2015-125)NessusSuSE Local Security Checks
medium
81121SuSE 11.3 Security Update : curl (SAT Patch Number 10166)NessusSuSE Local Security Checks
medium
80664Oracle Solaris Third-Party Patch Update : libcurl (cve_2014_3707_information_disclosure)NessusSolaris Local Security Checks
medium
80337Fedora 19 : curl-7.29.0-27.fc19 (2014-16690)NessusFedora Local Security Checks
medium
80325Fedora 21 : mingw-curl-7.39.0-1.fc21 (2014-17601)NessusFedora Local Security Checks
medium
80324Fedora 20 : mingw-curl-7.39.0-1.fc20 (2014-17596)NessusFedora Local Security Checks
medium
79951Fedora 21 : curl-7.37.0-11.fc21 (2014-16605)NessusFedora Local Security Checks
medium
79950Fedora 20 : curl-7.32.0-17.fc20 (2014-16538)NessusFedora Local Security Checks
medium
79655Fedora 20 : curl-7.32.0-16.fc20 (2014-15706)NessusFedora Local Security Checks
medium
79321Mandriva Linux Security Advisory : curl (MDVSA-2014:213)NessusMandriva Local Security Checks
medium
79119Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : curl vulnerability (USN-2399-1)NessusUbuntu Local Security Checks
medium
79100Fedora 20 : curl-7.32.0-15.fc20 (2014-14354)NessusFedora Local Security Checks
medium
79099Fedora 21 : curl-7.37.0-9.fc21 (2014-14338)NessusFedora Local Security Checks
medium
8565cURL/libcURL 7.x < 7.39.0 'curl_easy_duphandle()' Out-of-Bounds Read IssueNessus Network MonitorWeb Clients
medium
79065Debian DSA-3069-1 : curl - security updateNessusDebian Local Security Checks
medium