CVE-2014-1263 — Apple MAC OS X vulnerability

CWE-3103 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

5.8%

top 9.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Debian Curl

Timeline

PublishedFeb 27

Latest updateMay 17

Description

curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDapple/mac_os_x10.9.1+1

▶debiandebian/curl

🔴Vulnerability Details

GHSA

GHSA-8p89-chvh-f3mw: curl and libcurl 7↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2014-1263: curl - curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl...↗2014

▶