CVE-2014-2522

Name of the Vulnerable Software and Affected Versions libcurl versions 7.27.0 through 7.35.0

Description The issue arises when libcurl, built to use the SChannel/Winssl TLS backend on Windows, fails to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This occurs when accessing a URL that uses a numerical IP address, allowing man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. The problem is specific to libcurl using the Schannel TLS backend, which is the native library provided by Microsoft Windows, and only affects users on Windows.

Recommendations For libcurl versions 7.27.0 through 7.35.0, consider disabling the use of the SChannel/Winssl TLS backend until a patch is available, or restrict access to URLs using numerical IP addresses to minimize the risk of exploitation.