CVE-2014-3613
First published: Tue Nov 18 2014(Updated: )
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| curl | <=7.37.1 | |
| curl | =7.31.0 | |
| curl | =7.32.0 | |
| curl | =7.33.0 | |
| curl | =7.34.0 | |
| curl | =7.35.0 | |
| curl | =7.36.0 | |
| curl | =7.37.0 | |
| libcurl | <=7.37.1 | |
| libcurl | =7.31.0 | |
| libcurl | =7.32.0 | |
| libcurl | =7.33.0 | |
| libcurl | =7.34.0 | |
| libcurl | =7.35.0 | |
| libcurl | =7.36.0 | |
| libcurl | =7.37.0 | |
| Apple iOS and macOS | <=10.10.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://curl.haxx.se/docs/adv_20140910A.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2015-1254.html
- http://www.debian.org/security/2014/dsa-3022
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/69748
- https://support.apple.com/kb/HT205031
Frequently Asked Questions
What is the severity of CVE-2014-3613?
CVE-2014-3613 has a medium severity rating due to its potential to allow cookie manipulation by remote attackers.
How do I fix CVE-2014-3613?
To fix CVE-2014-3613, upgrade to cURL and libcurl version 7.38.0 or later.
Which versions are affected by CVE-2014-3613?
CVE-2014-3613 affects cURL and libcurl versions prior to 7.38.0, including 7.31.0 through 7.37.1.
What types of attacks are possible with CVE-2014-3613?
CVE-2014-3613 can be exploited to send arbitrary cookies to vulnerable sites, potentially leading to session hijacking.
Is CVE-2014-3613 specific to certain operating systems?
No, CVE-2014-3613 affects all operating systems that run affected versions of cURL and libcurl.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/haxx
- canonical/curl
- version/curl/7.37.1
- version/curl/7.31.0
- version/curl/7.32.0
- version/curl/7.33.0
- version/curl/7.34.0
- version/curl/7.35.0
- version/curl/7.36.0
- version/curl/7.37.0
- canonical/libcurl
- version/libcurl/7.37.1
- version/libcurl/7.31.0
- version/libcurl/7.32.0
- version/libcurl/7.33.0
- version/libcurl/7.34.0
- version/libcurl/7.35.0
- version/libcurl/7.36.0
- version/libcurl/7.37.0
- vendor/apple
- canonical/apple ios and macos
- version/apple ios and macos/10.10.4