CVE-2014-8150

MEDIUM

Description

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

References

http://advisories.mageia.org/MGASA-2015-0020.html

http://curl.haxx.se/docs/adv_20150108B.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html

http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html

http://rhn.redhat.com/errata/RHSA-2015-1254.html

http://secunia.com/advisories/61925

http://secunia.com/advisories/62075

http://secunia.com/advisories/62361

http://www.debian.org/security/2015/dsa-3122

http://www.mandriva.com/security/advisories?name=MDVSA-2015:021

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.securityfocus.com/bid/71964

http://www.securitytracker.com/id/1032768

http://www.ubuntu.com/usn/USN-2474-1

https://kc.mcafee.com/corporate/index?page=content&id=SB10131

https://security.gentoo.org/glsa/201701-47

https://support.apple.com/kb/HT205031

Details

Source: MITRE

Published: 2015-01-15

Updated: 2018-01-05

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:haxx:libcurl:6.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.1:beta:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.3.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.5.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:6.5.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.1.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.2.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.4.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.5.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.5.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.6.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.7.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.8.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.9.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.37.1:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.38.0:*:*:*:*:*:*:*

cpe:2.3:a:haxx:libcurl:7.39:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

Tenable Plugins

View all (29 total)

IDNameProductFamilySeverity
125002EulerOS Virtualization 3.0.1.0 : curl (EulerOS-SA-2019-1549)NessusHuawei Local Security Checks
high
96644GLSA-201701-47 : cURL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
87554Scientific Linux Security Update : curl on SL7.x x86_64 (20151119)NessusScientific Linux Local Security Checks
medium
87138CentOS 7 : curl (CESA-2015:2159)NessusCentOS Local Security Checks
medium
87028Oracle Linux 7 : curl (ELSA-2015-2159)NessusOracle Linux Local Security Checks
medium
86934RHEL 7 : curl (RHSA-2015:2159)NessusRed Hat Local Security Checks
medium
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85191Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20150722)NessusScientific Linux Local Security Checks
medium
85148OracleVM 3.3 : curl (OVMSA-2015-0107)NessusOracleVM Local Security Checks
medium
85096Oracle Linux 6 : curl (ELSA-2015-1254)NessusOracle Linux Local Security Checks
medium
85009CentOS 6 : curl (CESA-2015:1254)NessusCentOS Local Security Checks
medium
84912RHEL 6 : curl (RHSA-2015:1254)NessusRed Hat Local Security Checks
medium
83668SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0083-1)NessusSuSE Local Security Checks
medium
83237Fedora 21 : mingw-curl-7.42.0-1.fc21 (2015-6853)NessusFedora Local Security Checks
high
83212Fedora 22 : mingw-curl-7.42.0-1.fc22 (2015-6864)NessusFedora Local Security Checks
high
82351Mandriva Linux Security Advisory : curl (MDVSA-2015:098)NessusMandriva Local Security Checks
medium
82117Debian DLA-134-1 : curl security updateNessusDebian Local Security Checks
medium
81323Amazon Linux AMI : curl (ALAS-2015-477)NessusAmazon Linux Local Security Checks
medium
81287openSUSE Security Update : curl (openSUSE-2015-125)NessusSuSE Local Security Checks
medium
81257Asterisk libcURL HTTP Request Injection (AST-2015-002)NessusMisc.
medium
81121SuSE 11.3 Security Update : curl (SAT Patch Number 10166)NessusSuSE Local Security Checks
medium
80826Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : curl vulnerability (USN-2474-1)NessusUbuntu Local Security Checks
medium
80467Mandriva Linux Security Advisory : curl (MDVSA-2015:021)NessusMandriva Local Security Checks
medium
80453FreeBSD : cURL -- URL request injection vulnerability (caa98ffd-0a92-40d0-b234-fd79b429157e)NessusFreeBSD Local Security Checks
medium
80450Fedora 20 : curl-7.32.0-18.fc20 (2015-0418)NessusFedora Local Security Checks
medium
80449Fedora 21 : curl-7.37.0-12.fc21 (2015-0415)NessusFedora Local Security Checks
medium
8620cURL / libcURL 7.x < 7.40.0 Remote Security BypassNessus Network MonitorWeb Clients
medium
80421Debian DSA-3122-1 : curl - security updateNessusDebian Local Security Checks
medium