PT-2014-1829 · Curl+5 · Libcurl+6

Published

2014-01-29

Updated

2024-06-15

CVE-2014-0015

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions cURL and libcurl versions 7.10.6 through 7.34.0

Description The issue allows context-dependent attackers to authenticate as other users via a request when more than one authentication method is enabled, and NTLM connections are re-used. This can lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation of this issue can be done remotely.

Recommendations For versions 7.10.6 through 7.34.0, to mitigate this problem, applications can disable libcurl's re-use of connections by using one of the following libcurl options: CURLOPT FRESH CONNECT, CURLOPT MAXCONNECTS, or CURLMOPT MAX HOST CONNECTIONS (if using the curl multi API).

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-305

Related Identifiers

ALT-PU-2014-1107

BDU:2015-06304

BDU:2015-06305

BDU:2015-09087

BDU:2015-09088

CESA-2014_0561

CVE-2014-0015

DSA-2849-1

MGASA-2014-0153

OPENSUSE-SU-2024:10303-1

RHSA-2014:0561

RHSA-2014_0561

SUSE-SU-2014_0171-1

SUSE-SU-2014_0175-1

SUSE-SU-2014_0175-2

SUSE-SU-2015:0962-1

Affected Products

Alt Linux

Centos

Junos

Red Hat

Suse

Curl

Libcurl

PT-2014-1829 · Curl+5 · Libcurl+6

CVE-2014-0015

Weakness Enumeration

Related Identifiers

Affected Products

References · 75