PT-2014-1828 · Curl+4 · Libcurl+5

Published

2014-03-26

Updated

2026-05-18

CVE-2014-0138

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions cURL and libcurl versions 7.10.6 through 7.36.0

Description The default configuration in cURL and libcurl re-uses connections for various protocols, which might allow context-dependent attackers to connect as other users via a request. This issue can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of this issue can be done remotely.

Recommendations For versions 7.10.6 through 7.36.0, update to version 7.36.0 or later to resolve the issue. As a temporary workaround, consider disabling the re-use of connections for SCP, SFTP, POP3, POP3S, IMAP, IMAPS, SMTP, SMTPS, LDAP, and LDAPS protocols until a patch is available. Restrict access to sensitive information and resources to minimize the risk of exploitation.

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-305

Related Identifiers

ALT-PU-2014-1419

BDU:2015-06304

BDU:2015-06305

BDU:2015-09087

BDU:2015-09088

BDU:2015-09763

CESA-2014_0561

CLEANSTART-2026-AY18527

CLEANSTART-2026-BW46578

CLEANSTART-2026-DI23929

CLEANSTART-2026-LQ42192

CLEANSTART-2026-OF85770

CVE-2014-0138

DSA-2902-1

MGASA-2014-0153

OPENSUSE-SU-2024:10303-1

RHSA-2014:0561

RHSA-2014_0561

SUSE-SU-2014_0691-1

SUSE-SU-2015:0962-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Curl

Libcurl

PT-2014-1828 · Curl+4 · Libcurl+5

CVE-2014-0138

Weakness Enumeration

Related Identifiers

Affected Products

References · 329