CVE-2014-3613
Last modified
CVE-2014-3613 is a vulnerability of currently unknown severity. cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.. EPSS estimates a 7.43% chance of exploitation in the next 30 days.
Description
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Curl | <= 7.37.1 |
| Haxx | Curl | 7.31.0 |
| Haxx | Curl | 7.32.0 |
| Haxx | Curl | 7.33.0 |
| Haxx | Curl | 7.34.0 |
| Haxx | Curl | 7.35.0 |
| Haxx | Curl | 7.36.0 |
| Haxx | Curl | 7.37.0 |
| Haxx | Libcurl | <= 7.37.1 |
| Haxx | Libcurl | 7.31.0 |
| Haxx | Libcurl | 7.32.0 |
| Haxx | Libcurl | 7.33.0 |
| Haxx | Libcurl | 7.34.0 |
| Haxx | Libcurl | 7.35.0 |
| Haxx | Libcurl | 7.36.0 |
| Haxx | Libcurl | 7.37.0 |
| Apple | Mac Os X | <= 10.10.4 |
References
- http://www.debian.org/security/2014/dsa-3022Vendor Advisory
- http://www.debian.org/security/2014/dsa-3022Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2014-3613?
How severe is CVE-2014-3613?
How do I fix CVE-2014-3613?
Are you affected by CVE-2014-3613?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST