Vulnerability Details : CVE-2014-3613
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
Products affected by CVE-2014-3613
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.36.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:*:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3613
0.57%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3613
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-3613
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-3613
-
http://www.securityfocus.com/bid/69748
cURL/libcURL CVE-2014-3613 Remote Security Bypass Vulnerability
-
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
[security-announce] openSUSE-SU-2014:1139-1: important: curl
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
Juniper Networks - 2016-04 Security Bulletin: Junos: Multiple vulnerabilities in cURL and libcurl
-
https://support.apple.com/kb/HT205031
About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple Support
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017
-
http://rhn.redhat.com/errata/RHSA-2015-1254.html
RHSA-2015:1254 - Security Advisory - Red Hat Customer Portal
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://www.debian.org/security/2014/dsa-3022
Debian -- Security Information -- DSA-3022-1 curlVendor Advisory
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple - Lists.apple.com
-
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Oracle Critical Patch Update - July 2015
-
http://curl.haxx.se/docs/adv_20140910A.html
curl - cookie leak with IP address as domain - CVE-2014-3613Patch
Jump to