fkie_cve-2014-3613
Vulnerability from fkie_nvd
Published
2014-11-18 15:59
Modified
2025-04-12 10:46
Severity ?
Summary
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
References
secalert@redhat.comhttp://curl.haxx.se/docs/adv_20140910A.htmlPatch
secalert@redhat.comhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
secalert@redhat.comhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
secalert@redhat.comhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
secalert@redhat.comhttp://rhn.redhat.com/errata/RHSA-2015-1254.html
secalert@redhat.comhttp://www.debian.org/security/2014/dsa-3022Vendor Advisory
secalert@redhat.comhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
secalert@redhat.comhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
secalert@redhat.comhttp://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
secalert@redhat.comhttp://www.securityfocus.com/bid/69748
secalert@redhat.comhttps://support.apple.com/kb/HT205031
af854a3a-2127-422b-91ae-364da2661108http://curl.haxx.se/docs/adv_20140910A.htmlPatch
af854a3a-2127-422b-91ae-364da2661108http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
af854a3a-2127-422b-91ae-364da2661108http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2015-1254.html
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2014/dsa-3022Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/69748
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT205031
Impacted products
Vendor Product Version
haxx curl *
haxx curl 7.31.0
haxx curl 7.32.0
haxx curl 7.33.0
haxx curl 7.34.0
haxx curl 7.35.0
haxx curl 7.36.0
haxx curl 7.37.0
haxx libcurl *
haxx libcurl 7.31.0
haxx libcurl 7.32.0
haxx libcurl 7.33.0
haxx libcurl 7.34.0
haxx libcurl 7.35.0
haxx libcurl 7.36.0
haxx libcurl 7.37.0
apple mac_os_x *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B72E7AFD-F700-4EE7-AC64-238AC573CDBA",
              "versionEndIncluding": "7.37.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5ECABFCB-0D02-4B5B-BB35-C6B3C0896348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A5176F0-E62F-46FF-B536-DC0680696773",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "506A3761-3D24-43DB-88D8-4EB5B9E8BA5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B6EF8B0-0E86-449C-A500-ACD902A78C7F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D558CC2-0146-4887-834E-19FCB1D512A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6931764D-16AB-4546-9CE3-5B4E03BC984A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FC1313E-8DCB-4B29-A9BC-A27C8CB360E9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0181855-D18C-49D9-8BC5-2EC16689B7EF",
              "versionEndIncluding": "7.37.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1791BF6D-2C96-4A6E-90D4-2906A73601F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "260DD751-4145-4B75-B892-5FC932C6A305",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFF4AD0D-2EC5-4CE8-B6B3-2EC8ED2FF118",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3EB1CB85-0A9B-4816-B471-278774EE6D4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3831AB03-4E7E-476D-9623-58AADC188DFE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABACE305-2F0C-4B59-BC5C-6DF162B450E4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FAC1B55-F492-484E-B837-E7745682DE0A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7883E465-932D-4C11-AA54-97E44181F906",
              "versionEndIncluding": "10.10.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1."
    },
    {
      "lang": "es",
      "value": "cURL y libcurl anteriores a 7.38.0 no manejan correctamente las direcciones IP en nombres de dominio de cookies, lo que permite a atacantes remotos usar cookies definidas por ellos mismos o enviar cookies arbitrarias a ciertos sitios, como originada por un sitio en 192.168.0.1 estableciendo las cookies para un sitio en 127.168.0.1."
    }
  ],
  "id": "CVE-2014-3613",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-11-18T15:59:00.140",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://curl.haxx.se/docs/adv_20140910A.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10743"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1254.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.debian.org/security/2014/dsa-3022"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/69748"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://support.apple.com/kb/HT205031"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://curl.haxx.se/docs/adv_20140910A.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10743"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1254.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.debian.org/security/2014/dsa-3022"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/69748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/kb/HT205031"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.