CVE-2014-3620 — Improper Input Validation in Curl

CWE-310 CWE-20 — Improper Input Validation CWE-284 — Improper Access Control14 documents10 sources

Severity

5.0MEDIUMNVD

EPSS

1.3%

top 20.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Apple MAC OS X Haxx Libcurl

Timeline

PublishedNov 18

Latest updateMay 12

Description

cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDhaxx/libcurl7.37.1+7

▶Debianhaxx/curl< 7.38.0-1+3

▶Ubuntuhaxx/curl< 7.35.0-1ubuntu2.1

▶NVDhaxx/curl7.37.1+7

▶NVDapple/mac_os_x10.10.4

Patches

Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-jcjc-gx52-c9q4: cURL and libcurl before 7↗2022-05-12

▶

OSV

CVE-2014-3620: cURL and libcurl before 7↗2014-11-18

▶

CVEList

CVE-2014-3620: cURL and libcurl before 7↗2014-11-18

▶

OSV

curl vulnerabilities↗2014-09-15

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2014-09-15

▶

Red Hat

curl: cookies accepted for TLDs↗2014-09-10

▶

Debian

CVE-2014-3620: curl - cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin ...↗2014

▶

Apple

CVE-2014-3620: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

HackerOne

CVE-2022-27779: cookie for trailing dot TLD↗2022-05-11

▶

Bugzilla

CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7]↗2014-09-10

▶

Bugzilla

CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all]↗2014-09-10

▶

Bugzilla

CVE-2014-3620 curl: cookies accepted for TLDs [fedora-all]↗2014-09-10

▶

Bugzilla

CVE-2014-3620 curl: cookies accepted for TLDs↗2014-09-05

▶