CVE-2015-3153: Infoleak
First published: Fri May 01 2015(Updated: )
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Enterprise Manager Ops Center | <=12.1.3 | |
| Oracle Enterprise Manager Ops Center | =12.2.0 | |
| Oracle Enterprise Manager Ops Center | =12.2.1 | |
| Oracle Enterprise Manager Ops Center | =12.3.0 | |
| Curl | <=7.42.0 | |
| libcurl | <=7.42.0 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =14.10 | |
| Ubuntu | =15.1 | |
| Apple iOS and macOS | =10.10.4 | |
| Debian | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://curl.haxx.se/docs/adv_20150429.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2015-05/msg00017.html
- http://www.debian.org/security/2015/dsa-3240
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.securityfocus.com/bid/74408
- http://www.securitytracker.com/id/1032233
- http://www.ubuntu.com/usn/USN-2591-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10131
- https://support.apple.com/kb/HT205031
Frequently Asked Questions
What is the severity of CVE-2015-3153?
CVE-2015-3153 is classified as a high severity vulnerability due to the potential exposure of sensitive information.
How do I fix CVE-2015-3153?
To fix CVE-2015-3153, you should upgrade to cURL and libcurl version 7.42.1 or later.
Which software is affected by CVE-2015-3153?
CVE-2015-3153 affects multiple versions of cURL, libcurl, and Oracle Enterprise Manager Ops Center.
What is the impact of CVE-2015-3153?
The impact of CVE-2015-3153 includes the risk of remote proxy servers accessing sensitive information through custom HTTP headers.
Is there a patch available for CVE-2015-3153?
Yes, a patch is available in the form of upgraded versions of cURL and libcurl, specifically version 7.42.1 and later.
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.1.3
- version/oracle enterprise manager ops center/12.2.0
- version/oracle enterprise manager ops center/12.2.1
- version/oracle enterprise manager ops center/12.3.0
- vendor/haxx
- canonical/curl
- version/curl/7.42.0
- canonical/libcurl
- version/libcurl/7.42.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/14.10
- version/ubuntu/15.1
- vendor/apple
- canonical/apple ios and macos
- version/apple ios and macos/10.10.4
- vendor/debian
- canonical/debian
- version/debian/8.0