CVE-2014-2522
published 2014-04-18CVE-2014-2522: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a…
PriorityP419medium4CVSS 2.0
AVNACHAuNCPIPAN
EPSS
0.24%
48.2th percentile
curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:N
vendor_debian4.0LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2014-2522: curl - curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SC...
vendor_debian·2014·CVSS 4.0
CVE-2014-2522 [MEDIUM] CVE-2014-2522: curl - curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SC...
curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-wrgp-wm42-6wqv: curl and libcurl 7
ghsa_unreviewed·2022-05-17
CVE-2014-2522 [MEDIUM] CWE-20 GHSA-wrgp-wm42-6wqv: curl and libcurl 7
curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://curl.haxx.se/docs/adv_20140326D.htmlhttp://seclists.org/oss-sec/2014/q1/585http://seclists.org/oss-sec/2014/q1/586http://secunia.com/advisories/57836http://secunia.com/advisories/57966http://secunia.com/advisories/57968http://secunia.com/advisories/59458http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/http://www.securityfocus.com/bid/66296http://curl.haxx.se/docs/adv_20140326D.htmlhttp://seclists.org/oss-sec/2014/q1/585http://seclists.org/oss-sec/2014/q1/586http://secunia.com/advisories/57836http://secunia.com/advisories/57966http://secunia.com/advisories/57968http://secunia.com/advisories/59458http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/http://www.securityfocus.com/bid/66296
2014-04-18
Published