CVE-2013-1944 — Sensitive Information Exposure in Curl

CWE-200 — Sensitive Information Exposure9 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

2.5%

top 14.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl Canonical Ubuntu Linux

Timeline

PublishedApr 29

Latest updateMay 17

Description

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDhaxx/libcurl7.29.0+23

▶Debianhaxx/curl< 7.29.0-2.1+3

▶NVDhaxx/curl7.29.0+100

Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10, 8.04

🔴Vulnerability Details

GHSA

GHSA-q8gg-xjf7-2v3w: The tailMatch function in cookie↗2022-05-17

▶

OSV

CVE-2013-1944: The tailMatch function in cookie↗2013-04-29

▶

CVEList

CVE-2013-1944: The tailMatch function in cookie↗2013-04-29

▶

📋Vendor Advisories

Ubuntu

curl vulnerability↗2013-04-16

▶

Red Hat

curl: Cookie domain suffix match vulnerability↗2013-04-12

▶

Debian

CVE-2013-1944: curl - The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not pr...↗2013

▶

💬Community

Bugzilla

CVE-2013-1944 curl: Cookie domain suffix match vulnerability [fedora-all]↗2013-04-12

▶

Bugzilla

CVE-2013-1944 curl: Cookie domain suffix match vulnerability↗2013-04-10

▶