CVE-2014-8150: CRLF Injection
First published: Thu Jan 15 2015(Updated: )
CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian | =7.0 | |
| libcurl | =6.0 | |
| libcurl | =6.1 | |
| libcurl | =6.1-beta | |
| libcurl | =6.2 | |
| libcurl | =6.3 | |
| libcurl | =6.3.1 | |
| libcurl | =6.4 | |
| libcurl | =6.5 | |
| libcurl | =6.5.1 | |
| libcurl | =6.5.2 | |
| libcurl | =7.1 | |
| libcurl | =7.1.1 | |
| libcurl | =7.2 | |
| libcurl | =7.2.1 | |
| libcurl | =7.3 | |
| libcurl | =7.4 | |
| libcurl | =7.4.1 | |
| libcurl | =7.4.2 | |
| libcurl | =7.5 | |
| libcurl | =7.5.1 | |
| libcurl | =7.5.2 | |
| libcurl | =7.6 | |
| libcurl | =7.6.1 | |
| libcurl | =7.7 | |
| libcurl | =7.7.1 | |
| libcurl | =7.7.2 | |
| libcurl | =7.7.3 | |
| libcurl | =7.8 | |
| libcurl | =7.8.1 | |
| libcurl | =7.9 | |
| libcurl | =7.9.1 | |
| libcurl | =7.9.2 | |
| libcurl | =7.9.3 | |
| libcurl | =7.9.4 | |
| libcurl | =7.9.5 | |
| libcurl | =7.9.6 | |
| libcurl | =7.9.7 | |
| libcurl | =7.9.8 | |
| libcurl | =7.10 | |
| libcurl | =7.10.1 | |
| libcurl | =7.10.2 | |
| libcurl | =7.10.3 | |
| libcurl | =7.10.4 | |
| libcurl | =7.10.5 | |
| libcurl | =7.10.6 | |
| libcurl | =7.10.7 | |
| libcurl | =7.10.8 | |
| libcurl | =7.11.0 | |
| libcurl | =7.11.1 | |
| libcurl | =7.11.2 | |
| libcurl | =7.12.0 | |
| libcurl | =7.12.1 | |
| libcurl | =7.12.2 | |
| libcurl | =7.12.3 | |
| libcurl | =7.13.0 | |
| libcurl | =7.13.1 | |
| libcurl | =7.13.2 | |
| libcurl | =7.14.0 | |
| libcurl | =7.14.1 | |
| libcurl | =7.15.0 | |
| libcurl | =7.15.1 | |
| libcurl | =7.15.2 | |
| libcurl | =7.15.3 | |
| libcurl | =7.15.4 | |
| libcurl | =7.15.5 | |
| libcurl | =7.16.0 | |
| libcurl | =7.16.1 | |
| libcurl | =7.16.2 | |
| libcurl | =7.16.3 | |
| libcurl | =7.16.4 | |
| libcurl | =7.17.0 | |
| libcurl | =7.17.1 | |
| libcurl | =7.18.0 | |
| libcurl | =7.18.1 | |
| libcurl | =7.18.2 | |
| libcurl | =7.19.0 | |
| libcurl | =7.19.1 | |
| libcurl | =7.19.2 | |
| libcurl | =7.19.3 | |
| libcurl | =7.19.4 | |
| libcurl | =7.19.5 | |
| libcurl | =7.19.6 | |
| libcurl | =7.19.7 | |
| libcurl | =7.20.0 | |
| libcurl | =7.20.1 | |
| libcurl | =7.21.0 | |
| libcurl | =7.21.1 | |
| libcurl | =7.21.2 | |
| libcurl | =7.21.3 | |
| libcurl | =7.21.4 | |
| libcurl | =7.21.5 | |
| libcurl | =7.21.6 | |
| libcurl | =7.21.7 | |
| libcurl | =7.22.0 | |
| libcurl | =7.23.0 | |
| libcurl | =7.23.1 | |
| libcurl | =7.24.0 | |
| libcurl | =7.25.0 | |
| libcurl | =7.26.0 | |
| libcurl | =7.27.0 | |
| libcurl | =7.28.0 | |
| libcurl | =7.28.1 | |
| libcurl | =7.29.0 | |
| libcurl | =7.30.0 | |
| libcurl | =7.31.0 | |
| libcurl | =7.32.0 | |
| libcurl | =7.33.0 | |
| libcurl | =7.34.0 | |
| libcurl | =7.35.0 | |
| libcurl | =7.36.0 | |
| libcurl | =7.37.0 | |
| libcurl | =7.37.1 | |
| libcurl | =7.38.0 | |
| libcurl | =7.39 | |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =14.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2015-0020.html
- http://curl.haxx.se/docs/adv_20150108B.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html
- http://rhn.redhat.com/errata/RHSA-2015-1254.html
- http://secunia.com/advisories/61925
- http://secunia.com/advisories/62075
- http://secunia.com/advisories/62361
- http://www.debian.org/security/2015/dsa-3122
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:021
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/71964
- http://www.securitytracker.com/id/1032768
- http://www.ubuntu.com/usn/USN-2474-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10131
- https://security.gentoo.org/glsa/201701-47
- https://support.apple.com/kb/HT205031
Frequently Asked Questions
What is the severity of CVE-2014-8150?
CVE-2014-8150 is classified as a medium severity vulnerability due to its potential for HTTP response splitting attacks.
How do I fix CVE-2014-8150?
To fix CVE-2014-8150, upgrade libcurl to version 7.40.0 or later, which contains the necessary security patches.
What systems are affected by CVE-2014-8150?
CVE-2014-8150 affects libcurl versions from 6.0 through 7.x before 7.40.0, as well as specific distributions like Debian and Ubuntu.
What types of attacks can CVE-2014-8150 facilitate?
CVE-2014-8150 can facilitate HTTP response splitting attacks by allowing remote attackers to inject arbitrary HTTP headers.
Is CVE-2014-8150 specific to certain versions of libcurl?
Yes, CVE-2014-8150 specifically affects libcurl versions 6.0 through 7.x before 7.40.0.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian
- version/debian/7.0
- vendor/haxx
- canonical/libcurl
- version/libcurl/6.0
- version/libcurl/6.1
- version/libcurl/6.1-beta
- version/libcurl/6.2
- version/libcurl/6.3
- version/libcurl/6.3.1
- version/libcurl/6.4
- version/libcurl/6.5
- version/libcurl/6.5.1
- version/libcurl/6.5.2
- version/libcurl/7.1
- version/libcurl/7.1.1
- version/libcurl/7.2
- version/libcurl/7.2.1
- version/libcurl/7.3
- version/libcurl/7.4
- version/libcurl/7.4.1
- version/libcurl/7.4.2
- version/libcurl/7.5
- version/libcurl/7.5.1
- version/libcurl/7.5.2
- version/libcurl/7.6
- version/libcurl/7.6.1
- version/libcurl/7.7
- version/libcurl/7.7.1
- version/libcurl/7.7.2
- version/libcurl/7.7.3
- version/libcurl/7.8
- version/libcurl/7.8.1
- version/libcurl/7.9
- version/libcurl/7.9.1
- version/libcurl/7.9.2
- version/libcurl/7.9.3
- version/libcurl/7.9.4
- version/libcurl/7.9.5
- version/libcurl/7.9.6
- version/libcurl/7.9.7
- version/libcurl/7.9.8
- version/libcurl/7.10
- version/libcurl/7.10.1
- version/libcurl/7.10.2
- version/libcurl/7.10.3
- version/libcurl/7.10.4
- version/libcurl/7.10.5
- version/libcurl/7.10.6
- version/libcurl/7.10.7
- version/libcurl/7.10.8
- version/libcurl/7.11.0
- version/libcurl/7.11.1
- version/libcurl/7.11.2
- version/libcurl/7.12.0
- version/libcurl/7.12.1
- version/libcurl/7.12.2
- version/libcurl/7.12.3
- version/libcurl/7.13.0
- version/libcurl/7.13.1
- version/libcurl/7.13.2
- version/libcurl/7.14.0
- version/libcurl/7.14.1
- version/libcurl/7.15.0
- version/libcurl/7.15.1
- version/libcurl/7.15.2
- version/libcurl/7.15.3
- version/libcurl/7.15.4
- version/libcurl/7.15.5
- version/libcurl/7.16.0
- version/libcurl/7.16.1
- version/libcurl/7.16.2
- version/libcurl/7.16.3
- version/libcurl/7.16.4
- version/libcurl/7.17.0
- version/libcurl/7.17.1
- version/libcurl/7.18.0
- version/libcurl/7.18.1
- version/libcurl/7.18.2
- version/libcurl/7.19.0
- version/libcurl/7.19.1
- version/libcurl/7.19.2
- version/libcurl/7.19.3
- version/libcurl/7.19.4
- version/libcurl/7.19.5
- version/libcurl/7.19.6
- version/libcurl/7.19.7
- version/libcurl/7.20.0
- version/libcurl/7.20.1
- version/libcurl/7.21.0
- version/libcurl/7.21.1
- version/libcurl/7.21.2
- version/libcurl/7.21.3
- version/libcurl/7.21.4
- version/libcurl/7.21.5
- version/libcurl/7.21.6
- version/libcurl/7.21.7
- version/libcurl/7.22.0
- version/libcurl/7.23.0
- version/libcurl/7.23.1
- version/libcurl/7.24.0
- version/libcurl/7.25.0
- version/libcurl/7.26.0
- version/libcurl/7.27.0
- version/libcurl/7.28.0
- version/libcurl/7.28.1
- version/libcurl/7.29.0
- version/libcurl/7.30.0
- version/libcurl/7.31.0
- version/libcurl/7.32.0
- version/libcurl/7.33.0
- version/libcurl/7.34.0
- version/libcurl/7.35.0
- version/libcurl/7.36.0
- version/libcurl/7.37.0
- version/libcurl/7.37.1
- version/libcurl/7.38.0
- version/libcurl/7.39
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/14.10