CVE-2014-0015 — Improper Authentication in Curl

CWE-287 — Improper Authentication13 documents8 sources

Severity

4.0MEDIUMNVD

EPSS

1.4%

top 19.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl

Timeline

PublishedFeb 2

Latest updateMay 14

Description

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages3 packages

▶NVDhaxx/libcurl64 versions+63

▶Debianhaxx/curl< 7.35.0-1+3

▶NVDhaxx/curl64 versions+63

Patches

Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-93wp-ggwv-r77q: cURL and libcurl 7↗2022-05-14

▶

OSV

CVE-2014-0015: cURL and libcurl 7↗2014-02-02

▶

CVEList

CVE-2014-0015: cURL and libcurl 7↗2014-02-02

▶

📋Vendor Advisories

Red Hat

curl: NTLM credentials not-checked for proxy connection re-use↗2016-01-27

▶

Red Hat

curl: re-using authenticated connection when unauthenticated↗2015-04-22

▶

Red Hat

curl: wrong re-use of connections in libcurl↗2014-03-26

▶

Ubuntu

curl vulnerability↗2014-02-03

▶

Red Hat

curl: re-use of wrong HTTP NTLM connection in libcurl↗2014-01-29

▶

💬Community

Bugzilla

CVE-2014-0213 CVE-2014-0214 CVE-2014-0215 CVE-2014-0216 CVE-2014-0217 CVE-2014-0218 moodle: upstream 2.7, 2.6.3, 2.5.6, and 2.4.10 security fixes↗2014-05-21

▶

Bugzilla

CVE-2014-0015 curl: re-use of wrong HTTP NTLM connection in libcurl [fedora-all]↗2014-01-29

▶

Bugzilla

CVE-2014-0015 curl: re-use of wrong HTTP NTLM connection in libcurl↗2014-01-15

▶