CVE-2014-0138 — Improper Authentication in Curl

CWE-287 — Improper Authentication11 documents8 sources

Severity

6.4MEDIUMNVD

CNA4.0OSV4.0

EPSS

0.7%

top 28.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Debian Linux Haxx Libcurl

Timeline

PublishedApr 15

Latest updateMay 14

Description

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶NVDhaxx/libcurl65 versions+64

▶Debianhaxx/curl< 7.36.0-1+3

▶NVDhaxx/curl65 versions+64

Also affects: Debian Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-j832-g86m-353x: The default configuration in cURL and libcurl 7↗2022-05-14

▶

OSV

CVE-2014-0138: The default configuration in cURL and libcurl 7↗2014-04-15

▶

CVEList

CVE-2014-0138: The default configuration in cURL and libcurl 7↗2014-04-15

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2014-04-14

▶

Red Hat

curl: wrong re-use of connections in libcurl↗2014-03-26

▶

Debian

CVE-2014-0138: curl - The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) S...↗2014

▶

💬Community

Bugzilla

CVE-2014-0138 CVE-2014-0139 mingw32-curl: various flaws [epel-5]↗2014-03-26

▶

Bugzilla

CVE-2014-0138 CVE-2014-0139 mingw-curl: various flaws [fedora-all]↗2014-03-26

▶

Bugzilla

CVE-2014-0138 curl: wrong re-use of connections in libcurl [fedora-all]↗2014-03-26

▶

Bugzilla

CVE-2014-0138 curl: wrong re-use of connections in libcurl↗2014-03-21

▶