CVE-2014-2522

Published Apr 18, 2014

Last updated 3 months ago

CVSS info 4.0

Overview

Description: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 2.0

Type: Primary
Base score: 4
Impact score: 4.9
Exploitability score: 4.9
Vector string: AV:N/AC:H/Au:N/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EBF5418D-1162-4B1E-BC3D-06A3E084BEFB"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1CA65F31-3D54-4F66-A0A3-2BD993FF38F7"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "41ACC9FE-62FF-424B-B4B8-B033FEAF7686"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F8BC39E9-5945-4DC8-ACA8-1C9918D9F279"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B9658447-FBB0-4DEA-8FEE-BD4D3D1BF7FF"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5ECABFCB-0D02-4B5B-BB35-C6B3C0896348"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5A5176F0-E62F-46FF-B536-DC0680696773"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.33.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "506A3761-3D24-43DB-88D8-4EB5B9E8BA5C"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.34.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0B6EF8B0-0E86-449C-A500-ACD902A78C7F"
          },
          {
            "criteria": "cpe:2.3:a:haxx:curl:7.35.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4D558CC2-0146-4887-834E-19FCB1D512A3"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CBFD9ED9-2412-44AE-9C55-0ED03A121B23"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "67CCE31B-ABDA-4F32-BAF1-B1AD0664B3E2"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9E66A332-ECD1-4452-B444-FB629022FDF0"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CDD3D599-35E9-4590-B5E0-3AF04D344695"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A3B6BFFB-7967-482C-9B49-4BD25C815299"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1791BF6D-2C96-4A6E-90D4-2906A73601F6"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "260DD751-4145-4B75-B892-5FC932C6A305"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EFF4AD0D-2EC5-4CE8-B6B3-2EC8ED2FF118"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.34.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3EB1CB85-0A9B-4816-B471-278774EE6D4C"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.35.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3831AB03-4E7E-476D-9623-58AADC188DFE"
          },
          {
            "criteria": "cpe:2.3:a:haxx:libcurl:7.36.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "ABACE305-2F0C-4B59-BC5C-6DF162B450E4"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

References