CVE-2014-0138: The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS…

CVE-2014-0138 [MEDIUM] CWE-287 GHSA-j832-g86m-353x: The default configuration in cURL and libcurl 7 The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

CVE-2014-0138 [MEDIUM] CVE-2014-0138: The default configuration in cURL and libcurl 7 The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

[MEDIUM] Hitachi Energy MSM Product ## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs. ICS Advisory ## Hitachi Energy MSM Product Last RevisedAugust 30, 2022 Alert CodeICSA-22-242-03 ## 1. EXECUTIVE SUMMARY - CVSS v3 7.5 - ATTENTION: Exploitable remotely/low attack complexity - Vendor: Hitachi Energy - Equipment: MSM Product - Vulnerability: Reliance on Uncontrolled Component ## 2. RISK EVALUATION Successful exploitation of this vulnerability could disrupt the functionality of the MSM web interface, steal sensitive user credentials, or cause a denial-of-service condition. ## 3. TECHNICAL DETAILS ## 3.1 AFFECTED PRODUCTS Hitachi Energy reports multiple open-source softwar

CVE-2013-1752 [MEDIUM] VMware vSphere product updates address security vulnerabilities VMSA-2014-0012: VMware vSphere product updates address security vulnerabilities a. VMware vCSA cross-site scripting vulnerability VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. VMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Replace with/ Apply Patch VMware Pro

CVE-2014-0138 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Steve Holme discovered that libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. (CVE-2014-0138) Richard Moore discovered that libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses. An attacker could possibly exploit this to perform a machine-in-the-middle attack to view sensitive information or alter encrypted communications. (CVE-2014-0139) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2014-0138 [MEDIUM] curl: wrong re-use of connections in libcurl curl: wrong re-use of connections in libcurl The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. Statement: This issue affects the version of curl as shipped with Red Hat Enterprise Linux 5 and 7. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw. Package: curl (Red Hat Enterprise Linux 5) - Will not fix Package: curl (Red Hat Enterprise Linux 7) - Not affected

CVE-2014-0138 [MEDIUM] CVE-2014-0138: curl - The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) S... The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015. Scope: local bookworm: resolved (fixed in 7.36.0-1) bullseye: resolved (fixed in 7.36.0-1) forky: resolved (fixed in 7.36.0-1) sid: resolved (fixed in 7.36.0-1) trixie: resolved (fixed in 7.36.0-1)

CVE-2014-0138 [MEDIUM] CVE-2014-0138 CVE-2014-0139 mingw32-curl: various flaws [epel-5] CVE-2014-0138 CVE-2014-0139 mingw32-curl: various flaws [epel-5] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. epel-5 tracking bug for mingw32-cur

CVE-2014-0138 [MEDIUM] CVE-2014-0138 CVE-2014-0139 mingw-curl: various flaws [fedora-all] CVE-2014-0138 CVE-2014-0139 mingw-curl: various flaws [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. Please note: this issue affects multip

CVE-2014-0138 [MEDIUM] CVE-2014-0138 curl: wrong re-use of connections in libcurl [fedora-all] CVE-2014-0138 curl: wrong re-use of connections in libcurl [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. Please note: this issue affects m

CVE-2014-0138 [MEDIUM] CVE-2014-0138 curl: wrong re-use of connections in libcurl CVE-2014-0138 curl: wrong re-use of connections in libcurl Daniel Stenberg reported the following vulnerability in cURL: libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. libcurl features a pool of recent connections so that subsequent requests can re-use an existing connection to avoid overhead. When re-using a connection a range of criterion must first be met. Due to an error in the code, a transfer that was initiated by an application could wrongfully re-use an existing connection to the same server that was authenticated using different credentials. The existing logic basically only worked well enough for HTTP and FTP, while all other network protocols were silently, but erroneously, assumed to work lik