Page 8 of 51 results (0.009 seconds)

CVSS: 5.8EPSS: 0%CPEs: 130EXPL: 0

cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. cURL y libcurl 7.1 anterior a 7.36.0, cuando utilizando las librerías OpenSSL, axtls, gsossl o gskit para TLS, reconoce una dirección IP comodín (wildcard) en el campo del asunto Common Name (CN) de un certificado X.509, lo cual permitiría a atacantes man-in-the-middle suplantar servidores SSL arbitrarios a través de un certificado manipulado emitido por una autoridad de certificación legítima. • http://advisories.mageia.org/MGASA-2015-0165.html http://curl.haxx.se/docs/adv_20140326B.html http://lists.opensuse.org/opensuse-updates/2014-04/msg00042.html http://secunia.com/advisories/57836 http://secunia.com/advisories/57966 http://secunia.com/advisories/57968 http://secunia.com/advisories/58615 http://secunia.com/advisories/59458 http://www-01.ibm.com/support/docview.wss?uid=swg21675820 http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862 http: • CWE-310: Cryptographic Issues •

CVSS: 4.0EPSS: 0%CPEs: 22EXPL: 0

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate. curl y libcurl versiones 7.27.0 hasta 7.35.0, cuando se ejecuta en Windows y utiliza el backend TLS SChannel/Winssl, no comprueba que el nombre de host del servidor coincida con un nombre de dominio en el campo subject's Common Name (CN) o subjectAltName del certificado X.509 cuando se accede a una URL que usa una dirección IP numérica, que permite a los atacantes de tipo man-in-the-middle falsificar servidores por medio de un certificado válido arbitrario. • http://curl.haxx.se/docs/adv_20140326D.html http://seclists.org/oss-sec/2014/q1/585 http://seclists.org/oss-sec/2014/q1/586 http://secunia.com/advisories/57836 http://secunia.com/advisories/57966 http://secunia.com/advisories/57968 http://secunia.com/advisories/59458 http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862 http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release http://www.getchef.com/blog/2014/04/09/enterp • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 128EXPL: 0

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. cURL y libcurl 7.10.6 hasta 7.34.0, cuando más de un método de autenticación está habilitado, reutiliza conexiones NTLM, lo que podría permitir a atacantes dependientes de contexto autenticarse como otros usuarios a través de una solicitud. • http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html http://curl.haxx.se/docs/adv_20140129.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127627.html http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128408.html http://lists.opensuse.org/opensuse-updates/2014-02/msg00066.html http://seclists.org/fulldisclosure/2014/Dec/23 http://secunia.com/advisories/56728 http:/ • CWE-287: Improper Authentication •

CVSS: 4.0EPSS: 0%CPEs: 23EXPL: 0

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. El backend de GnuTLS en libcurl 7.21.4 a 7.33.0, cuando se desactiva la verificación de firmas digitales (CURLOPT_SSL_VERIFYPEER), también desactiva la comprobación CURLOPT_SSL_VERIFYHOST para nombres de host CN o SAN, lo cual facilita a atacantes remotos la suplantación de servidores y la ejecución de ataques man-in-the-middle (MITM). • http://curl.haxx.se/docs/adv_20131217.html http://www.debian.org/security/2013/dsa-2824 http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.ubuntu.com/usn/USN-2058-1 https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322 • CWE-20: Improper Input Validation •

CVSS: 4.3EPSS: 0%CPEs: 68EXPL: 0

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. cURL y libcurl 7.18.0 hasta la versión 7.32.0, cuando es compilado con OpenSSL, desactiva la verificación del nombre de campos del certificado CN y SAN (CURLOPT_SSL_VERIFYHOST) cuando la verificación de firma digital (CURLOPT_SSL_VERIFYPEER) está desactivada, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a través de un certificado válido arbitrario. • http://curl.haxx.se/docs/adv_20131115.html http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html http://www.debian.org/security/2013/dsa-2798 http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.ubuntu.com/usn/USN-2048-1 https:// • CWE-310: Cryptographic Issues •