the original cloud security
Showing 1 - 8 of 8 RSS Feed

CVE-2014-0015

Status Candidate

Overview

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.

Related Files

Mandriva Linux Security Advisory 2015-098
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-098 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. Various other issues were also addressed.

tags | advisory, web, protocol
systems | linux, mandriva
advisories | CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2014-3613, CVE-2014-3620, CVE-2014-3707, CVE-2014-8150
MD5 | d3e6fd95838b2a36118b683c99ced795
VMware Security Advisory 2014-0012
Posted Dec 5, 2014
Authored by VMware | Site vmware.com

VMware Security Advisory 2014-0012 - VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries.

tags | advisory, vulnerability, xss
advisories | CVE-2013-1752, CVE-2013-2877, CVE-2013-4238, CVE-2014-0015, CVE-2014-0138, CVE-2014-0191, CVE-2014-3797, CVE-2014-8371
MD5 | f36bc2e46b09054b56cf41449f829177
Apple Security Advisory 2014-06-30-2
Posted Jul 1, 2014
Authored by Apple | Site apple.com

Apple Security Advisory 2014-06-30-2 - OS X Mavericks 10.9.4 and Security Update 2014-003 are now available and address application termination, code execution, sandbox circumvention, bypass, and various other vulnerabilities.

tags | advisory, vulnerability, code execution
systems | apple, osx
advisories | CVE-2014-0015, CVE-2014-1317, CVE-2014-1355, CVE-2014-1356, CVE-2014-1357, CVE-2014-1358, CVE-2014-1359, CVE-2014-1361, CVE-2014-1370, CVE-2014-1371, CVE-2014-1372, CVE-2014-1373, CVE-2014-1375, CVE-2014-1376, CVE-2014-1377, CVE-2014-1378, CVE-2014-1379, CVE-2014-1380, CVE-2014-1381
MD5 | de8fa04b47218d6116b0d5a1da0af19b
Mandriva Linux Security Advisory 2014-110
Posted Jun 10, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-110 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site.

tags | advisory, web, protocol
systems | linux, mandriva
advisories | CVE-2014-0015, CVE-2014-0138, CVE-2014-0139
MD5 | db1f963c40f0fd41b1cddb8ce5d5f1d5
Red Hat Security Advisory 2014-0561-01
Posted May 28, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0561-01 - cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP with NTLM authentication, LDAP, SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials.

tags | advisory, remote, web, protocol
systems | linux, redhat
advisories | CVE-2014-0015, CVE-2014-0138
MD5 | ca75f8603c28da55ec239f5a7f9effdb
Slackware Security Advisory - curl Updates
Posted Feb 15, 2014
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

tags | advisory
systems | linux, slackware
advisories | CVE-2014-0015
MD5 | 8c8b19a216e18028913692512fe8bd07
Ubuntu Security Notice USN-2097-1
Posted Feb 3, 2014
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2097-1 - Paras Sethia and Yehezkel Horowitz discovered that libcurl incorrectly reused connections when NTLM authentication was being used. This could lead to the use of unintended credentials, possibly exposing sensitive information.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2014-0015
MD5 | 4be01c62dd46bc2f7fa8c6bc62b6f179
Debian Security Advisory 2849-1
Posted Jan 31, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2849-1 - Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user.

tags | advisory, web
systems | linux, debian
advisories | CVE-2014-0015
MD5 | 30995661227275cc7e173b0a93245365
Page 1 of 1
Back1Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close