CVE-2014-3613 — Improper Input Validation in Curl

CWE-310 CWE-20 — Improper Input Validation CWE-284 — Improper Access Control13 documents9 sources

Severity

5.0MEDIUMNVD

EPSS

1.8%

top 17.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Apple MAC OS X Haxx Libcurl

Timeline

PublishedNov 18

Latest updateMay 14

Description

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDhaxx/libcurl7.37.1+7

▶Debianhaxx/curl< 7.38.0-1+3

▶Ubuntuhaxx/curl< 7.35.0-1ubuntu2.1

▶NVDhaxx/curl7.37.1+7

▶NVDapple/mac_os_x10.10.4

Patches

Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-gcmw-6qh5-324w: cURL and libcurl before 7↗2022-05-14

▶

OSV

CVE-2014-3613: cURL and libcurl before 7↗2014-11-18

▶

CVEList

CVE-2014-3613: cURL and libcurl before 7↗2014-11-18

▶

OSV

curl vulnerabilities↗2014-09-15

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2014-09-15

▶

Red Hat

curl: incorrect handling of IP addresses in cookie domain↗2014-09-10

▶

Debian

CVE-2014-3613: curl - cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie d...↗2014

▶

Apple

CVE-2014-3613: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7]↗2014-09-10

▶

Bugzilla

CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all]↗2014-09-10

▶

Bugzilla

CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain [fedora-all]↗2014-09-10

▶

Bugzilla

CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain↗2014-09-02

▶