Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2014-3613

Published: 18/11/2014 Updated: 05/01/2018
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Haxx

Vulnerability Summary

cURL and libcurl prior to 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote malicious users to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

Vulnerable Product Search on Vulmon Subscribe to Product

haxx curl 7.33.0

haxx curl 7.34.0

haxx curl 7.37.0

haxx curl

haxx curl 7.31.0

haxx curl 7.32.0

haxx curl 7.35.0

haxx curl 7.36.0

haxx libcurl 7.37.0

haxx libcurl 7.36.0

haxx libcurl 7.33.0

haxx libcurl 7.32.0

haxx libcurl

haxx libcurl 7.31.0

haxx libcurl 7.35.0

haxx libcurl 7.34.0

apple mac os x

Vendor Advisories

Red Hat: Moderate: curl security, bug fix, and enhancement update
Synopsis Moderate: curl security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic Updated curl packages that fix multiple security issues, several bugs, andadd two enhancements are now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Ubuntu Security Notice: curl vulnerabilities
Several security issues were fixed in curl ...
Debian Security Advisories: DSA-3022-1 curl -- security update
Two vulnerabilities have been discovered in cURL, an URL transfer library They can be use to leak cookie information: CVE-2014-3613 By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing ...
Amazon Linux AMI: ALAS-2014-407
libcurl wrongly allows cookies to be set for TLDs, thus making them much broader then they are supposed to be allowed to This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP ...
Red Hat: CVE-2014-3613
It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit ...

References

CWE-310http://www.debian.org/security/2014/dsa-3022http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.htmlhttp://curl.haxx.se/docs/adv_20140910A.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttps://support.apple.com/kb/HT205031http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlhttp://www.securityfocus.com/bid/69748http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1254.htmlhttps://access.redhat.com/errata/RHSA-2015:2159https://usn.ubuntu.com/2346-1/https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2014-3613
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-21111CVE-2024-32884IDORCVE-2023-1000CVE-2024-33260CVE-2024-3682reflected XSSrace conditionCVE-2024-3400
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook