PT-2014-5424 · Curl+4 · Libcurl+5

Published

2014-09-10

·

Updated

2024-06-15

·

CVE-2014-3620

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions cURL and libcurl versions prior to 7.38.0
Description The issue allows remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. This occurs because libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), making them apply broader than cookies are allowed. As a result, arbitrary sites can set cookies that would then get sent to a different and unrelated site or domain.
Recommendations For versions prior to 7.38.0, update to version 7.38.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of cookies for top-level domains to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-201CWE-310

Related Identifiers

ALT-PU-2014-2123
CVE-2014-3620
MGASA-2014-0385
OPENSUSE-SU-2014_1139-1
OPENSUSE-SU-2024:10303-1
USN-2346-1

Affected Products

Alt Linux
Junos
Suse
Ubuntu
Curl
Libcurl