CVE-2014-0139 — Improper Validation of Certificate with Host Mismatch in Curl

CWE-310 CWE-297 — Improper Validation of Certificate with Host Mismatch15 documents8 sources

Severity

5.8MEDIUMNVD

EPSS

1.2%

top 21.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl

Timeline

PublishedApr 15

Latest updateMay 17

Description

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages3 packages

▶NVDhaxx/libcurl65 versions+64

▶Debianhaxx/curl< 7.36.0-1+3

▶NVDhaxx/curl65 versions+64

🔴Vulnerability Details

GHSA

GHSA-vwm2-85hg-5h4q: cURL and libcurl 7↗2022-05-17

▶

OSV

CVE-2014-0139: cURL and libcurl 7↗2014-04-15

▶

CVEList

CVE-2014-0139: cURL and libcurl 7↗2014-04-15

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2014-04-14

▶

Red Hat

curl: IP address wildcard certificate validation issue in libcurl↗2014-03-26

▶

Debian

CVE-2014-0139: curl - cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gsk...↗2014

▶

💬Community

Bugzilla

CVE-2014-0138 CVE-2014-0139 mingw32-curl: various flaws [epel-5]↗2014-03-26

▶

Bugzilla

CVE-2014-0138 CVE-2014-0139 mingw-curl: various flaws [fedora-all]↗2014-03-26

▶

Bugzilla

CVE-2014-0139 curl: IP address wildcard certificate validation issue in libcurl↗2014-03-21

▶

Bugzilla

CVE-2013-6484 pidgin: DoS via specially-crafted stun messages↗2014-01-24

▶

Bugzilla

CVE-2013-6478 pidgin: DoS when rendering long URLs↗2014-01-23

▶