Vulnerability Description
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
CVSS Score
4.0
MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Libcurl | 7.10.6 |
| Haxx | Curl | 7.10.6 |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html
- http://curl.haxx.se/docs/adv_20140129.htmlPatchVendor Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127627.h
- http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128408.h
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00066.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://secunia.com/advisories/56728Vendor Advisory
- http://secunia.com/advisories/56731
- http://secunia.com/advisories/56734Vendor Advisory
- http://secunia.com/advisories/56912
- http://secunia.com/advisories/59458
- http://secunia.com/advisories/59475
- http://support.apple.com/kb/HT6296
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862
FAQ
What is CVE-2014-0015?
CVE-2014-0015 is a vulnerability with a CVSS score of 4.0 (MEDIUM). cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via ...
How severe is CVE-2014-0015?
CVE-2014-0015 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-0015?
Check the references section above for vendor advisories and patch information. Affected products include: Haxx Libcurl, Haxx Curl.