CVE-2014-3620
published 2014-11-18CVE-2014-3620: cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level…
PriorityP427medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
1.31%
80.3th percentile
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.10.4 | — |
| apple | os_x_yosemite_v10.10.5_and_security_update_2015-006 | — | — |
| debian | curl | < curl 7.38.0-1 (bookworm) | curl 7.38.0-1 (bookworm) |
| haxx | curl | <= 7.37.1 | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | — | — |
| haxx | curl | >= 0 < 7.38.0-1 | 7.38.0-1 |
| haxx | curl | >= 0 < 7.38.0-1 | 7.38.0-1 |
| haxx | curl | >= 0 < 7.38.0-1 | 7.38.0-1 |
| haxx | curl | >= 0 < 7.38.0-1 | 7.38.0-1 |
| haxx | curl | >= 0 < 7.35.0-1ubuntu2.1 | 7.35.0-1ubuntu2.1 |
| haxx | libcurl | <= 7.37.1 | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
| haxx | libcurl | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2014-09-15·CVSS 5.0
CVE-2014-3613 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Tim Ruehsen discovered that curl incorrectly handled partial literal IP
addresses. This could lead to the disclosure of cookies to the wrong site,
and malicious sites being able to set cookies for others. (CVE-2014-3613)
Tim Ruehsen discovered that curl incorrectly allowed cookies to be set
for Top Level Domains (TLDs). This could allow a malicious site to set a
cookie that gets sent to other sites. (CVE-2014-3620)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
curl: cookies accepted for TLDs
vendor_redhat·2014-09-10·CVSS 5.0
CVE-2014-3620 [MEDIUM] CWE-20 curl: cookies accepted for TLDs
curl: cookies accepted for TLDs
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
Statement: This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5, 6, or 7.
Package: curl (Red Hat Enterprise Linux 5) - Not affected
Package: curl (Red Hat Enterprise Linux 6) - Not affected
Package: curl (Red Hat Enterprise Linux 7) - Not affected
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Not affected
Debian
CVE-2014-3620: curl - cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin ...
vendor_debian·2014·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620: curl - cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin ...
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
Scope: local
bookworm: resolved (fixed in 7.38.0-1)
bullseye: resolved (fixed in 7.38.0-1)
forky: resolved (fixed in 7.38.0-1)
sid: resolved (fixed in 7.38.0-1)
trixie: resolved (fixed in 7.38.0-1)
Apple
CVE-2014-3620: OS X Yosemite v10.10.5 and Security Update 2015-006
vendor_apple·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620: OS X Yosemite v10.10.5 and Security Update 2015-006
Apple Security Update: About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006
Product: OS X Yosemite v10.10.5 and Security Update 2015-006
CVE: CVE-2014-3620
Component: CVE-2014-3620
GHSA
GHSA-jcjc-gx52-c9q4: cURL and libcurl before 7
ghsa_unreviewed·2022-05-12
CVE-2014-3620 [MEDIUM] GHSA-jcjc-gx52-c9q4: cURL and libcurl before 7
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
OSV
CVE-2014-3620: cURL and libcurl before 7
osv·2014-11-18·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620: cURL and libcurl before 7
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
OSV
curl vulnerabilities
osv·2014-09-15·CVSS 5.0
CVE-2014-3613 [MEDIUM] curl vulnerabilities
curl vulnerabilities
Tim Ruehsen discovered that curl incorrectly handled partial literal IP
addresses. This could lead to the disclosure of cookies to the wrong site,
and malicious sites being able to set cookies for others. (CVE-2014-3613)
Tim Ruehsen discovered that curl incorrectly allowed cookies to be set
for Top Level Domains (TLDs). This could allow a malicious site to set a
cookie that gets sent to other sites. (CVE-2014-3620)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-27779: cookie for trailing dot TLD
hackerone·2022-06-11·CVSS 5.0
CVE-2022-27779 [MEDIUM] CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27779: cookie for trailing dot TLD
Published Advisory: https://curl.se/docs/CVE-2022-27779.html
Original Report: https://hackerone.com/reports/1553301
## Impact
This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. (ie. conduct session fixation attacks.)
cookie for trailing dot TLD
Project curl Security Advisory, May 11 2022 - [Permalink](https://curl.se/docs/CVE-2022-27779.html)
VULNERABILITY
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if the host name is provided with a trailing dot.
curl can be told to receive and send cookies. curl's "cookie engine" can be built with or without [Public Suffix List](https://publicsuffix.org/)
awareness. If PSL support not provided, a more rudimentar
HackerOne
CVE-2022-27779: cookie for trailing dot TLD
hackerone·2022-05-11·CVSS 5.0
CVE-2022-27779 [MEDIUM] CVE-2022-27779: cookie for trailing dot TLD
CVE-2022-27779: cookie for trailing dot TLD
## Summary:
In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains (TLDs). According to the advisory, curl's "cookie parser has no Public Suffix awareness", but it will "reject TLDs from being allowed". However, a cookie can still be set for a TLD + trailing dot.
A trailing dot after a TLD is considered legal and curl will send the http://example.com. to http://example.com
## Steps To Reproduce:
1. Create an Apache file like the following
````
<?php
header("Set-Cookie: a=b; Domain=.me.");
````
2. Now save the cookie to curl and see the cookie is set for .me.
````
curl -c cookies.txt http://localtest.me./index.php
````
cookies.txt:
````
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was ge
Bugzilla
CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7]
bugzilla·2014-09-10·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7]
CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for mingw-curl: see blocks bug list for full d
Bugzilla
CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all]
bugzilla·2014-09-10·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all]
CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Whi
Bugzilla
CVE-2014-3620 curl: cookies accepted for TLDs [fedora-all]
bugzilla·2014-09-10·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620 curl: cookies accepted for TLDs [fedora-all]
CVE-2014-3620 curl: cookies accepted for TLDs [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
Bugzilla
CVE-2014-3620 curl: cookies accepted for TLDs
bugzilla·2014-09-05·CVSS 5.0
CVE-2014-3620 [MEDIUM] CVE-2014-3620 curl: cookies accepted for TLDs
CVE-2014-3620 curl: cookies accepted for TLDs
Daniel Stenberg reported the following vulnerability in cURL that could cause libcurl-based HTTP clients to leak cookie information:
Cookies set for Top Level Domains (TLD)
libcurl wrongly allows cookies to be set for TLDs, thus making them much
broader then they are supposed to be allowed to. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated
site or domain.
INFO
Cookie parsing and use is opt-in by applications and is not enabled by
default.
libcurl's cookie parser has no Public Suffix awareness, so apart from
rejecting TLDs from being allowed it might still allow cookies for domains
that are otherwise widely rejected by ordinary browsers. See
https://publicsuffix.org/ for details.
Versio
http://curl.haxx.se/docs/adv_20140910B.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.htmlhttp://www.debian.org/security/2014/dsa-3022http://www.openwall.com/lists/oss-security/2022/05/11/2http://www.securityfocus.com/bid/69742https://support.apple.com/kb/HT205031http://curl.haxx.se/docs/adv_20140910B.htmlhttp://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.htmlhttp://www.debian.org/security/2014/dsa-3022http://www.openwall.com/lists/oss-security/2022/05/11/2http://www.securityfocus.com/bid/69742https://support.apple.com/kb/HT205031
2014-11-18
Published