PT-2014-1829 · Curl+5 · Libcurl+6

Publicado

2014-01-29

Atualizado

2024-06-15

CVE-2014-0015

CVSS v2.0

6.8

Média

Vetor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions cURL and libcurl versions 7.10.6 through 7.34.0

Description The issue allows context-dependent attackers to authenticate as other users via a request when more than one authentication method is enabled, and NTLM connections are re-used. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of this issue can be done remotely.

Recommendations For versions 7.10.6 through 7.34.0, to mitigate this problem, applications can disable libcurl's re-use of connections by using one of the following libcurl options: CURLOPT FRESH CONNECT, CURLOPT MAXCONNECTS, or CURLMOPT MAX HOST CONNECTIONS (if using the curl multi API).

Correção

Improper Authentication

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-287CWE-305

Identificadores relacionados

ALT-PU-2014-1107

BDU:2015-06304

BDU:2015-06305

BDU:2015-09087

BDU:2015-09088

CESA-2014_0561

CVE-2014-0015

DSA-2849-1

MGASA-2014-0153

OPENSUSE-SU-2024:10303-1

RHSA-2014:0561

RHSA-2014_0561

SUSE-SU-2014_0171-1

SUSE-SU-2014_0175-1

SUSE-SU-2014_0175-2

SUSE-SU-2015:0962-1

Produtos afetados

Alt Linux

Centos

Junos

Red Hat

Suse

Curl

Libcurl

PT-2014-1829 · Curl+5 · Libcurl+6

CVE-2014-0015

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 75