CVE-2014-0015 : cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

Published 2014-02-02 00:55:05

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2014-0015

Haxx » Curl » Version: 7.26.0
cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.28.1
cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.27.0
cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.28.0
cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.10.8
cpe:2.3:a:haxx:curl:7.10.8:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.12.1
cpe:2.3:a:haxx:curl:7.12.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.12.2
cpe:2.3:a:haxx:curl:7.12.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.12.3
cpe:2.3:a:haxx:curl:7.12.3:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.15.1
cpe:2.3:a:haxx:curl:7.15.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.15.2
cpe:2.3:a:haxx:curl:7.15.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.16.1
cpe:2.3:a:haxx:curl:7.16.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.16.0
cpe:2.3:a:haxx:curl:7.16.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.6
cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.7
cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.6
cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.7
cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.22.0
cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.23.0
cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.29.0
cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.30.0
cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.10.7
cpe:2.3:a:haxx:curl:7.10.7:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.13.1
cpe:2.3:a:haxx:curl:7.13.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.13.2
cpe:2.3:a:haxx:curl:7.13.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.15.5
cpe:2.3:a:haxx:curl:7.15.5:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.15.4
cpe:2.3:a:haxx:curl:7.15.4:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.17.1
cpe:2.3:a:haxx:curl:7.17.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.17.0
cpe:2.3:a:haxx:curl:7.17.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.4
cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.5
cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.4
cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.5
cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.23.1
cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.24.0
cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.11.0
cpe:2.3:a:haxx:curl:7.11.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.11.1
cpe:2.3:a:haxx:curl:7.11.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.13.0
cpe:2.3:a:haxx:curl:7.13.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.14.0
cpe:2.3:a:haxx:curl:7.14.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.15.3
cpe:2.3:a:haxx:curl:7.15.3:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.16.4
cpe:2.3:a:haxx:curl:7.16.4:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.18.2
cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.18.1
cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.2
cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.3
cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.2
cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.3
cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.25.0
cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.10.6
cpe:2.3:a:haxx:curl:7.10.6:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.11.2
cpe:2.3:a:haxx:curl:7.11.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.12.0
cpe:2.3:a:haxx:curl:7.12.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.14.1
cpe:2.3:a:haxx:curl:7.14.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.15.0
cpe:2.3:a:haxx:curl:7.15.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.16.3
cpe:2.3:a:haxx:curl:7.16.3:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.16.2
cpe:2.3:a:haxx:curl:7.16.2:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.18.0
cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.1
cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.19.0
cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.20.0
cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.20.1
cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.0
cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.21.1
cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.32.0
cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.31.0
cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.33.0
cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*
Matching versions
Haxx » Curl » Version: 7.34.0
cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.26.0
cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.28.1
cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.27.0
cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.28.0
cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.10.7
cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.10.8
cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.11.0
cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.11.1
cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.13.1
cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.13.2
cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.15.4
cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.15.5
cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.16.0
cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.18.0
cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.18.1
cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.5
cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.6
cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.4
cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.5
cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.25.0
cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.12.3
cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.13.0
cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.15.2
cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.15.3
cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.17.0
cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.17.1
cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.3
cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.4
cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.1
cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.2
cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.3
cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.23.1
cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.24.0
cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.30.0
cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.11.2
cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.12.0
cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.14.0
cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.14.1
cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.16.1
cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.16.2
cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.18.2
cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.0
cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.7
cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.20.0
cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.6
cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.7
cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.10.6
cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.12.1
cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.12.2
cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.15.0
cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.15.1
cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.16.3
cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.16.4
cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.1
cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.19.2
cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.20.1
cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.21.0
cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.22.0
cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.23.0
cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.29.0
cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.31.0
cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.32.0
cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.33.0
cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
Matching versions
Haxx » Libcurl » Version: 7.34.0
cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-0015

EPSS FAQ

2.46%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 84 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-0015

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.0	MEDIUM	AV:N/AC:H/Au:N/C:P/I:P/A:N	4.9	4.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2014-0015

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-0015

http://www.securityfocus.com/bid/65270

cURL/libcURL NTLM connection Remote Security Bypass Vulnerability
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127627.html

[SECURITY] Fedora 20 Update: curl-7.32.0-4.fc20
http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html

CVEs referencing this url
http://www.securitytracker.com/id/1029710

libcURL May Use an Incorrect NTLM Connection - SecurityTracker
http://www.vmware.com/security/advisories/VMSA-2014-0012.html

VMSA-2014-0012.1

CVEs referencing this url
http://support.apple.com/kb/HT6296

About the security content of OS X Mavericks v10.9.4 and Security Update 2014-003 - Apple Support

CVEs referencing this url
http://secunia.com/advisories/59475

Sign in

CVEs referencing this url
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.502652

The Slackware Linux Project: Slackware Security Advisories
http://www.debian.org/security/2014/dsa-2849

Debian -- Security Information -- DSA-2849-1 curl
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

Juniper Networks - 2016-04 Security Bulletin: Junos: Multiple vulnerabilities in cURL and libcurl

CVEs referencing this url
http://secunia.com/advisories/56728

Sign in
Vendor Advisory
http://www.ubuntu.com/usn/USN-2097-1

USN-2097-1: curl vulnerability | Ubuntu security notices
http://curl.haxx.se/docs/adv_20140129.html

curl - re-use of wrong HTTP NTLM connection - CVE-2014-0015
Patch;Vendor Advisory
http://seclists.org/fulldisclosure/2014/Dec/23

Full Disclosure: NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Oracle Critical Patch Update - January 2015

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

Oracle Solaris Bulletin - January 2016

CVEs referencing this url
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

IBM Security Bulletin: Security Bulletin: IBM ToolsCenter is affected by several cURL potential vulnerabilities (CVE-2014-0015, CVE-2014-0139, CVE-2014-0138, CVE-2014-2522)

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2014-02/msg00066.html

openSUSE-SU-2014:0274-1: moderate: update for curl
http://secunia.com/advisories/56912

Sign in
http://www.securityfocus.com/archive/1/534161/100/0/threaded

SecurityFocus

CVEs referencing this url
http://secunia.com/advisories/56734

Sign in
Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Oracle Critical Patch Update - July 2015

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128408.html

[SECURITY] Fedora 19 Update: curl-7.29.0-13.fc19
http://secunia.com/advisories/59458

Sign in

CVEs referencing this url
http://secunia.com/advisories/56731

Sign in

Jump to

Vulnerability Details : CVE-2014-0015

Products affected by CVE-2014-0015

Exploit prediction scoring system (EPSS) score for CVE-2014-0015

CVSS scores for CVE-2014-0015

CWE ids for CVE-2014-0015

References for CVE-2014-0015