CVE-2014-2522
Published Apr 18, 2014
Last updated 8 years ago
Overview
- Description
- curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
- Source
- cve@mitre.org
- NVD status
- Modified
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 2.0
- Type
- Primary
- Base score
- 4
- Impact score
- 4.9
- Exploitability score
- 4.9
- Vector string
- AV:N/AC:H/Au:N/C:P/I:P/A:N
Weaknesses
- nvd@nist.gov
- CWE-20
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EBF5418D-1162-4B1E-BC3D-06A3E084BEFB"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1CA65F31-3D54-4F66-A0A3-2BD993FF38F7"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "41ACC9FE-62FF-424B-B4B8-B033FEAF7686"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F8BC39E9-5945-4DC8-ACA8-1C9918D9F279"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B9658447-FBB0-4DEA-8FEE-BD4D3D1BF7FF"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5ECABFCB-0D02-4B5B-BB35-C6B3C0896348"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5A5176F0-E62F-46FF-B536-DC0680696773"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "506A3761-3D24-43DB-88D8-4EB5B9E8BA5C"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0B6EF8B0-0E86-449C-A500-ACD902A78C7F"
},
{
"criteria": "cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4D558CC2-0146-4887-834E-19FCB1D512A3"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CBFD9ED9-2412-44AE-9C55-0ED03A121B23"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "67CCE31B-ABDA-4F32-BAF1-B1AD0664B3E2"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9E66A332-ECD1-4452-B444-FB629022FDF0"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CDD3D599-35E9-4590-B5E0-3AF04D344695"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A3B6BFFB-7967-482C-9B49-4BD25C815299"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1791BF6D-2C96-4A6E-90D4-2906A73601F6"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "260DD751-4145-4B75-B892-5FC932C6A305"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EFF4AD0D-2EC5-4CE8-B6B3-2EC8ED2FF118"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3EB1CB85-0A9B-4816-B471-278774EE6D4C"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3831AB03-4E7E-476D-9623-58AADC188DFE"
},
{
"criteria": "cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ABACE305-2F0C-4B59-BC5C-6DF162B450E4"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]