CVE-2014-0139

Name of the Vulnerable Software and Affected Versions cURL and libcurl versions prior to 7.36.0

Description The issue allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. This is due to the incorrect validation of wildcard SSL certificates containing literal IP addresses by libcurl when using specific TLS libraries, including OpenSSL, axtls, qsossl, or gskit. According to the RFC 2818 requirements, wildcards should not be used with IP addresses to prevent man-in-the-middle attacks. However, libcurl fails to adhere to this rule under certain conditions, allowing a malicious server to participate in a MITM attack or fool users into believing it is a legitimate site.

Recommendations For versions prior to 7.36.0, update to version 7.36.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of wildcard certificates or disabling the use of the vulnerable TLS libraries until a patch is available. Avoid using libcurl with the affected TLS libraries for sensitive operations until the issue is resolved.