CVE-2014-2522

Severity Score

4.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

curl y libcurl versiones 7.27.0 hasta 7.35.0, cuando se ejecuta en Windows y utiliza el backend TLS SChannel/Winssl, no comprueba que el nombre de host del servidor coincida con un nombre de dominio en el campo subject's Common Name (CN) o subjectAltName del certificado X.509 cuando se accede a una URL que usa una dirección IP numérica, que permite a los atacantes de tipo man-in-the-middle falsificar servidores por medio de un certificado válido arbitrario.

*Credits: N/A

CVSS Scores

NISTv2 4.0

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-03-17 CVE Reserved
2014-03-29 CVE Published
2023-11-29 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (12)

URL	Tag	Source
http://seclists.org/oss-sec/2014/q1/585	Mailing List
http://seclists.org/oss-sec/2014/q1/586	Mailing List
http://secunia.com/advisories/59458	Third Party Advisory
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862	X_refsource_confirm
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release	X_refsource_confirm
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release	X_refsource_confirm
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release	X_refsource_confirm
http://www.securityfocus.com/bid/66296	Vdb Entry

URL	Date	SRC

URL	Date	SRC
http://curl.haxx.se/docs/adv_20140326D.html	2017-04-29

URL	Date	SRC
http://secunia.com/advisories/57836	2017-04-29
http://secunia.com/advisories/57966	2017-04-29
http://secunia.com/advisories/57968	2017-04-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.27.0 Search vendor "Haxx" for product "Curl" and version "7.27.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.28.0 Search vendor "Haxx" for product "Curl" and version "7.28.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.28.1 Search vendor "Haxx" for product "Curl" and version "7.28.1"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.29.0 Search vendor "Haxx" for product "Curl" and version "7.29.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.30.0 Search vendor "Haxx" for product "Curl" and version "7.30.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.31.0 Search vendor "Haxx" for product "Curl" and version "7.31.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.32.0 Search vendor "Haxx" for product "Curl" and version "7.32.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.33.0 Search vendor "Haxx" for product "Curl" and version "7.33.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.34.0 Search vendor "Haxx" for product "Curl" and version "7.34.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Curl Search vendor "Haxx" for product "Curl"	7.35.0 Search vendor "Haxx" for product "Curl" and version "7.35.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.27.0 Search vendor "Haxx" for product "Libcurl" and version "7.27.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.28.0 Search vendor "Haxx" for product "Libcurl" and version "7.28.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.28.1 Search vendor "Haxx" for product "Libcurl" and version "7.28.1"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.29.0 Search vendor "Haxx" for product "Libcurl" and version "7.29.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.30.0 Search vendor "Haxx" for product "Libcurl" and version "7.30.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.31.0 Search vendor "Haxx" for product "Libcurl" and version "7.31.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.32.0 Search vendor "Haxx" for product "Libcurl" and version "7.32.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.33.0 Search vendor "Haxx" for product "Libcurl" and version "7.33.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.34.0 Search vendor "Haxx" for product "Libcurl" and version "7.34.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.35.0 Search vendor "Haxx" for product "Libcurl" and version "7.35.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe
Haxx Search vendor "Haxx"	Libcurl Search vendor "Haxx" for product "Libcurl"	7.36.0 Search vendor "Haxx" for product "Libcurl" and version "7.36.0"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	*	-	Safe