Published: 15/01/2015 Updated: 01/07/2017

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 up to and including 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle malicious users to spoof servers via a crafted certificate.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apple mac os x
haxx libcurl 7.31.0
haxx libcurl 7.32.0
haxx libcurl 7.38.0
haxx libcurl 7.39
haxx libcurl 7.37.0
haxx libcurl 7.37.1
haxx libcurl 7.33.0
haxx libcurl 7.34.0
haxx libcurl 7.35.0
haxx libcurl 7.36.0

The darwinssl_connect_step1 function in lib/vtls/curl_darwinsslc in libcurl 7310 through 7390, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate ...

NVD-CWE-Other http://secunia.com/advisories/61925 http://curl.haxx.se/docs/adv_20150108A.html http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html https://support.apple.com/kb/HT205031 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 https://security.gentoo.org/glsa/201701-47 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-8151

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2014-8151

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect