CVE-2014-2522 — Improper Input Validation in Curl

CWE-20 — Improper Input Validation4 documents4 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 47.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Haxx Libcurl

Timeline

PublishedApr 18

Latest updateMay 17

Description

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages2 packages

▶NVDhaxx/libcurl11 versions+10

▶NVDhaxx/curl10 versions+9

Patches

Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-wrgp-wm42-6wqv: curl and libcurl 7↗2022-05-17

▶

CVEList

CVE-2014-2522: curl and libcurl 7↗2014-04-18

▶

📋Vendor Advisories

Debian

CVE-2014-2522: curl - curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SC...↗2014

▶