Vulnerability Details : CVE-2014-8150
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
Products affected by CVE-2014-8150
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.8:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.37.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.38.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.1:beta:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.39:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:6.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.4.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8150
3.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8150
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2014-8150
-
http://www.debian.org/security/2015/dsa-3122
Debian -- Security Information -- DSA-3122-1 curl
-
https://security.gentoo.org/glsa/201701-47
cURL: Multiple vulnerabilities (GLSA 201701-47) — Gentoo security
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html
[SECURITY] Fedora 20 Update: curl-7.32.0-18.fc20
-
http://curl.haxx.se/docs/adv_20150108B.html
curl - URL request injection - CVE-2014-8150Vendor Advisory
-
http://www.ubuntu.com/usn/USN-2474-1
USN-2474-1: curl vulnerability | Ubuntu security notices
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html
[SECURITY] Fedora 21 Update: curl-7.37.0-12.fc21
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
Juniper Networks - 2016-04 Security Bulletin: Junos: Multiple vulnerabilities in cURL and libcurl
-
https://support.apple.com/kb/HT205031
About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple Support
-
http://rhn.redhat.com/errata/RHSA-2015-1254.html
RHSA-2015:1254 - Security Advisory - Red Hat Customer Portal
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
Oracle Bulletin Board Update - January 2015
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10131
McAfee Security Bulletin: McAfee Agent patch fixes three Libcurl vulnerabilities
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html
[SECURITY] Fedora 22 Update: mingw-curl-7.42.0-1.fc22
-
http://advisories.mageia.org/MGASA-2015-0020.html
Mageia Advisory: MGASA-2015-0020 - Updated curl packages fix CVE-2014-8150
-
http://secunia.com/advisories/61925
Sign in
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple - Lists.apple.com
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:021
mandriva.com
-
http://www.securitytracker.com/id/1032768
IBM Tivoli Composite Application Manager libcurl Bug Lets Remote Authenticated Users Conduct HTTP Response Splitting Attacks - SecurityTracker
-
http://secunia.com/advisories/62075
Sign in
-
http://secunia.com/advisories/62361
Sign in
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html
[SECURITY] Fedora 21 Update: mingw-curl-7.42.0-1.fc21
-
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
Oracle Critical Patch Update - October 2015
-
http://www.securityfocus.com/bid/71964
cURL/libcURL CVE-2014-8150 Remote Security Bypass Vulnerability
-
http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html
openSUSE-SU-2015:0248-1: moderate: Security update for curl
Jump to