CVE-2014-8150 — HTTP Request/Response Splitting in Libcurl

CWE-113 — HTTP Request/Response Splitting14 documents10 sources

Severity

4.3MEDIUMNVD

EPSS

1.2%

top 20.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Canonical Ubuntu Linux Debian Linux +1 more

Timeline

PublishedJan 15

Latest updateMay 14

Description

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDhaxx/libcurl113 versions+112

▶Debianhaxx/curl< 7.38.0-4+3

Also affects: Debian Linux 7.0, Ubuntu Linux 10.04, 12.04, 14.04, 14.10

🔴Vulnerability Details

GHSA

GHSA-rhch-32f3-p669: CRLF injection vulnerability in libcurl 6↗2022-05-14

▶

CVEList

CVE-2014-8150: CRLF injection vulnerability in libcurl 6↗2015-01-15

▶

OSV

CVE-2014-8150: CRLF injection vulnerability in libcurl 6↗2015-01-15

▶

📋Vendor Advisories

Ubuntu

curl vulnerability↗2015-01-15

▶

Red Hat

curl: URL request injection vulnerability in parseurlandfillconn()↗2015-01-08

▶

Debian

CVE-2014-8150: curl - CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when usin...↗2014

▶

Apple

CVE-2014-8150: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

asterisk: mitigation for libcURL HTTP request injection vulnerability (AST-2015-002)↗2015-01-29

▶

Bugzilla

CVE-2014-8150 curl: URL request injection vulnerability in parseurlandfillconn() [fedora-all]↗2015-01-08

▶

Bugzilla

CVE-2014-8150 mingw-curl: curl: URL request injection vulnerability in parseurlandfillconn() [epel-7]↗2015-01-08

▶

Bugzilla

CVE-2014-8150 mingw-curl: curl: URL request injection vulnerability in parseurlandfillconn() [fedora-all]↗2015-01-08

▶

HackerOne

libcurl: URL request injection↗2015-01-08

▶