CVE-2014-3613
Description
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2014-3613 NameCVE-2014-3613 DescriptioncURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu,โฆ
CVE-2014-3613
| Name | CVE-2014-3613 |
| Description | cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-64-1, DSA-3022-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| curl (PTS) | bullseye | 7.74.0-1.3+deb11u13 | fixed |
| bullseye (security) | 7.74.0-1.3+deb11u16 | fixed | |
| bookworm | 7.88.1-10+deb12u14 | fixed | |
| bookworm (security) | 7.88.1-10+deb12u5 | fixed | |
| trixie | 8.14.1-2+deb13u3 | fixed | |
| forky | 8.20.0-2 | fixed | |
| sid | 8.20.0-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| curl | source | squeeze | 7.21.0-2.1+squeeze9 | DLA-64-1 | ||
| curl | source | wheezy | 7.26.0-1+wheezy10 | DSA-3022-1 | ||
| curl | source | (unstable) | 7.38.0-1 |
Notes
http://curl.haxx.se/docs/adv_20140910A.html
Apply commands
http://curl.haxx.se/docs/adv_20140910A.htmlOS impact
macOS Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 7.38.0-1 |
| sid | Fixed | 7.38.0-1 |
| forky | Fixed | 7.38.0-1 |
| bullseye | Fixed | 7.38.0-1 |
| bookworm | Fixed | 7.38.0-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| haxx | curl | {"endIncluding":"7.37.1"} | |
| haxx | curl | 7.31.0 | |
| haxx | curl | 7.32.0 | |
| haxx | curl | 7.33.0 | |
| haxx | curl | 7.34.0 | |
| haxx | curl | 7.35.0 | |
| haxx | curl | 7.36.0 | |
| haxx | curl | 7.37.0 | |
| haxx | libcurl | {"endIncluding":"7.37.1"} | |
| haxx | libcurl | 7.31.0 | |
| haxx | libcurl | 7.32.0 | |
| haxx | libcurl | 7.33.0 | |
| haxx | libcurl | 7.34.0 | |
| haxx | libcurl | 7.35.0 | |
| haxx | libcurl | 7.36.0 | |
| haxx | libcurl | 7.37.0 | |
References
- http://curl.haxx.se/docs/adv_20140910A.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2015-1254.html
- http://www.debian.org/security/2014/dsa-3022
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/69748
- https://support.apple.com/kb/HT205031
- https://security-tracker.debian.org/tracker/CVE-2014-3613
CWEs
CWE-310
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.