CVE-2013-1944: Infoleak
First published: Wed Apr 10 2013(Updated: )
A security flaw was found in the way the library of cURL, an utility for retrieval of files from remote servers, performed match of cookie domain names when making a decision if (previously stored cookies) should be sent to particular domain. Due to a bug in match function implementation, (formerly) the decision / match succeeded also in cases, where just suffix / certain part of the domain name matched the domain name, the current request originated from. A remote attacker could use this flaw to possibly hijack the user session of the victim by submitting a request containing a specially-crafted domain name. References: [1] <a href="http://thread.gmane.org/gmane.comp.web.curl.library/38986">http://thread.gmane.org/gmane.comp.web.curl.library/38986</a> Acknowledgements: Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges YAMADA Yasuharu as the original reporter.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Haxx Curl | <=7.29.0 | |
| Haxx Curl | =6.0 | |
| Haxx Curl | =6.1 | |
| Haxx Curl | =6.1-beta | |
| Haxx Curl | =6.2 | |
| Haxx Curl | =6.3 | |
| Haxx Curl | =6.3.1 | |
| Haxx Curl | =6.4 | |
| Haxx Curl | =6.5 | |
| Haxx Curl | =6.5.1 | |
| Haxx Curl | =6.5.2 | |
| Haxx Curl | =7.1 | |
| Haxx Curl | =7.1.1 | |
| Haxx Curl | =7.2 | |
| Haxx Curl | =7.2.1 | |
| Haxx Curl | =7.3 | |
| Haxx Curl | =7.4 | |
| Haxx Curl | =7.4.1 | |
| Haxx Curl | =7.4.2 | |
| Haxx Curl | =7.5.1 | |
| Haxx Curl | =7.5.2 | |
| Haxx Curl | =7.6 | |
| Haxx Curl | =7.6.1 | |
| Haxx Curl | =7.7 | |
| Haxx Curl | =7.7.1 | |
| Haxx Curl | =7.7.2 | |
| Haxx Curl | =7.7.3 | |
| Haxx Curl | =7.8 | |
| Haxx Curl | =7.8.1 | |
| Haxx Curl | =7.9 | |
| Haxx Curl | =7.9.1 | |
| Haxx Curl | =7.9.2 | |
| Haxx Curl | =7.9.3 | |
| Haxx Curl | =7.9.4 | |
| Haxx Curl | =7.9.5 | |
| Haxx Curl | =7.9.6 | |
| Haxx Curl | =7.9.7 | |
| Haxx Curl | =7.9.8 | |
| Haxx Curl | =7.10 | |
| Haxx Curl | =7.10.1 | |
| Haxx Curl | =7.10.2 | |
| Haxx Curl | =7.10.3 | |
| Haxx Curl | =7.10.4 | |
| Haxx Curl | =7.10.5 | |
| Haxx Curl | =7.10.6 | |
| Haxx Curl | =7.10.7 | |
| Haxx Curl | =7.10.8 | |
| Haxx Curl | =7.11.0 | |
| Haxx Curl | =7.11.1 | |
| Haxx Curl | =7.11.2 | |
| Haxx Curl | =7.12.0 | |
| Haxx Curl | =7.12.1 | |
| Haxx Curl | =7.12.2 | |
| Haxx Curl | =7.12.3 | |
| Haxx Curl | =7.13.0 | |
| Haxx Curl | =7.13.1 | |
| Haxx Curl | =7.13.2 | |
| Haxx Curl | =7.14.0 | |
| Haxx Curl | =7.14.1 | |
| Haxx Curl | =7.15.0 | |
| Haxx Curl | =7.15.1 | |
| Haxx Curl | =7.15.2 | |
| Haxx Curl | =7.15.3 | |
| Haxx Curl | =7.15.4 | |
| Haxx Curl | =7.15.5 | |
| Haxx Curl | =7.16.0 | |
| Haxx Curl | =7.16.1 | |
| Haxx Curl | =7.16.2 | |
| Haxx Curl | =7.16.3 | |
| Haxx Curl | =7.16.4 | |
| Haxx Curl | =7.17.0 | |
| Haxx Curl | =7.17.1 | |
| Haxx Curl | =7.18.0 | |
| Haxx Curl | =7.18.1 | |
| Haxx Curl | =7.18.2 | |
| Haxx Curl | =7.19.0 | |
| Haxx Curl | =7.19.1 | |
| Haxx Curl | =7.19.2 | |
| Haxx Curl | =7.19.3 | |
| Haxx Curl | =7.19.4 | |
| Haxx Curl | =7.19.5 | |
| Haxx Curl | =7.19.6 | |
| Haxx Curl | =7.19.7 | |
| Haxx Curl | =7.20.0 | |
| Haxx Curl | =7.20.1 | |
| Haxx Curl | =7.21.0 | |
| Haxx Curl | =7.21.1 | |
| Haxx Curl | =7.21.2 | |
| Haxx Curl | =7.21.3 | |
| Haxx Curl | =7.21.4 | |
| Haxx Curl | =7.21.5 | |
| Haxx Curl | =7.21.6 | |
| Haxx Curl | =7.21.7 | |
| Haxx Curl | =7.22.0 | |
| Haxx Curl | =7.23.0 | |
| Haxx Curl | =7.23.1 | |
| Haxx Curl | =7.24.0 | |
| Haxx Curl | =7.25.0 | |
| Haxx Curl | =7.26.0 | |
| Haxx Curl | =7.27.0 | |
| Haxx Curl | =7.28.0 | |
| Haxx Curl | =7.28.1 | |
| Haxx Libcurl | <=7.29.0 | |
| Haxx Libcurl | =7.14.0 | |
| Haxx Libcurl | =7.14.1 | |
| Haxx Libcurl | =7.15.0 | |
| Haxx Libcurl | =7.15.1 | |
| Haxx Libcurl | =7.15.2 | |
| Haxx Libcurl | =7.15.3 | |
| Haxx Libcurl | =7.15.4 | |
| Haxx Libcurl | =7.15.5 | |
| Haxx Libcurl | =7.16.0 | |
| Haxx Libcurl | =7.16.2 | |
| Haxx Libcurl | =7.16.3 | |
| Haxx Libcurl | =7.16.4 | |
| Haxx Libcurl | =7.17.0 | |
| Haxx Libcurl | =7.17.1 | |
| Haxx Libcurl | =7.18.0 | |
| Haxx Libcurl | =7.18.2 | |
| Haxx Libcurl | =7.19.3 | |
| Haxx Libcurl | =7.20.0 | |
| Haxx Libcurl | =7.21.2 | |
| Haxx Libcurl | =7.22.0 | |
| Haxx Libcurl | =7.23.0 | |
| Haxx Libcurl | =7.28.0 | |
| Haxx Libcurl | =7.28.1 | |
| Canonical Ubuntu Linux | =8.04 | |
| Canonical Ubuntu Linux | =10.04 | |
| Canonical Ubuntu Linux | =11.10 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =12.10 | |
| redhat/curl | <7.30.0 | 7.30.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://curl.haxx.se/docs/adv_20130412.html
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106606.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00016.html
- http://rhn.redhat.com/errata/RHSA-2013-0771.html
- http://secunia.com/advisories/53044
- http://secunia.com/advisories/53051
- http://secunia.com/advisories/53097
- http://www.debian.org/security/2012/dsa-2660
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:151
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.osvdb.org/92316
- http://www.securityfocus.com/bid/59058
- http://www.ubuntu.com/usn/USN-1801-1
- https://bugzilla.redhat.com/show_bug.cgi?id=950577
- https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121
- http://thread.gmane.org/gmane.comp.web.curl.library/38986
- https://access.redhat.com/security/cve/CVE-2013-1944
- http://curl.haxx.se/curl-tailmatch.patch
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=734032&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=734032&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=951417
- https://github.com/bagder/curl/commit/5c5e1a1cd206ad8feadaa83a37d0326ba45cf45d
- https://github.com/bagder/curl/commit/11dee0bfae702c07b510dce05a55d1b8144fbbcb
- https://rhn.redhat.com/errata/RHSA-2013-0771.html
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-1944
- agent/software-canonical-lookup
- agent/tags
- agent/event
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.29.0
- version/haxx curl/6.0
- version/haxx curl/6.1
- version/haxx curl/6.1-beta
- version/haxx curl/6.2
- version/haxx curl/6.3
- version/haxx curl/6.3.1
- version/haxx curl/6.4
- version/haxx curl/6.5
- version/haxx curl/6.5.1
- version/haxx curl/6.5.2
- version/haxx curl/7.1
- version/haxx curl/7.1.1
- version/haxx curl/7.2
- version/haxx curl/7.2.1
- version/haxx curl/7.3
- version/haxx curl/7.4
- version/haxx curl/7.4.1
- version/haxx curl/7.4.2
- version/haxx curl/7.5.1
- version/haxx curl/7.5.2
- version/haxx curl/7.6
- version/haxx curl/7.6.1
- version/haxx curl/7.7
- version/haxx curl/7.7.1
- version/haxx curl/7.7.2
- version/haxx curl/7.7.3
- version/haxx curl/7.8
- version/haxx curl/7.8.1
- version/haxx curl/7.9
- version/haxx curl/7.9.1
- version/haxx curl/7.9.2
- version/haxx curl/7.9.3
- version/haxx curl/7.9.4
- version/haxx curl/7.9.5
- version/haxx curl/7.9.6
- version/haxx curl/7.9.7
- version/haxx curl/7.9.8
- version/haxx curl/7.10
- version/haxx curl/7.10.1
- version/haxx curl/7.10.2
- version/haxx curl/7.10.3
- version/haxx curl/7.10.4
- version/haxx curl/7.10.5
- version/haxx curl/7.10.6
- version/haxx curl/7.10.7
- version/haxx curl/7.10.8
- version/haxx curl/7.11.0
- version/haxx curl/7.11.1
- version/haxx curl/7.11.2
- version/haxx curl/7.12.0
- version/haxx curl/7.12.1
- version/haxx curl/7.12.2
- version/haxx curl/7.12.3
- version/haxx curl/7.13.0
- version/haxx curl/7.13.1
- version/haxx curl/7.13.2
- version/haxx curl/7.14.0
- version/haxx curl/7.14.1
- version/haxx curl/7.15.0
- version/haxx curl/7.15.1
- version/haxx curl/7.15.2
- version/haxx curl/7.15.3
- version/haxx curl/7.15.4
- version/haxx curl/7.15.5
- version/haxx curl/7.16.0
- version/haxx curl/7.16.1
- version/haxx curl/7.16.2
- version/haxx curl/7.16.3
- version/haxx curl/7.16.4
- version/haxx curl/7.17.0
- version/haxx curl/7.17.1
- version/haxx curl/7.18.0
- version/haxx curl/7.18.1
- version/haxx curl/7.18.2
- version/haxx curl/7.19.0
- version/haxx curl/7.19.1
- version/haxx curl/7.19.2
- version/haxx curl/7.19.3
- version/haxx curl/7.19.4
- version/haxx curl/7.19.5
- version/haxx curl/7.19.6
- version/haxx curl/7.19.7
- version/haxx curl/7.20.0
- version/haxx curl/7.20.1
- version/haxx curl/7.21.0
- version/haxx curl/7.21.1
- version/haxx curl/7.21.2
- version/haxx curl/7.21.3
- version/haxx curl/7.21.4
- version/haxx curl/7.21.5
- version/haxx curl/7.21.6
- version/haxx curl/7.21.7
- version/haxx curl/7.22.0
- version/haxx curl/7.23.0
- version/haxx curl/7.23.1
- version/haxx curl/7.24.0
- version/haxx curl/7.25.0
- version/haxx curl/7.26.0
- version/haxx curl/7.27.0
- version/haxx curl/7.28.0
- version/haxx curl/7.28.1
- canonical/haxx libcurl
- version/haxx libcurl/7.29.0
- version/haxx libcurl/7.14.0
- version/haxx libcurl/7.14.1
- version/haxx libcurl/7.15.0
- version/haxx libcurl/7.15.1
- version/haxx libcurl/7.15.2
- version/haxx libcurl/7.15.3
- version/haxx libcurl/7.15.4
- version/haxx libcurl/7.15.5
- version/haxx libcurl/7.16.0
- version/haxx libcurl/7.16.2
- version/haxx libcurl/7.16.3
- version/haxx libcurl/7.16.4
- version/haxx libcurl/7.17.0
- version/haxx libcurl/7.17.1
- version/haxx libcurl/7.18.0
- version/haxx libcurl/7.18.2
- version/haxx libcurl/7.19.3
- version/haxx libcurl/7.20.0
- version/haxx libcurl/7.21.2
- version/haxx libcurl/7.22.0
- version/haxx libcurl/7.23.0
- version/haxx libcurl/7.28.0
- version/haxx libcurl/7.28.1
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/8.04
- version/canonical ubuntu linux/10.04
- version/canonical ubuntu linux/11.10
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/12.10
- package-manager/redhat