CVE-2014-2522

Published: Apr 18, 2014Modified: May 6, 2026

4.0

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability: 4.9 / Impact: 4.9

Source: NVD

Description

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Affected (21)

Products: Haxx: Curl, Libcurl

2 products

Configuration A

21 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Haxx Curl	Version 7.27.0
Haxx Curl	Version 7.28.0
Haxx Curl	Version 7.28.1
Haxx Curl	Version 7.29.0
Haxx Curl	Version 7.30.0
Haxx Curl	Version 7.31.0
Haxx Curl	Version 7.32.0
Haxx Curl	Version 7.33.0
Haxx Curl	Version 7.34.0
Haxx Curl	Version 7.35.0
Haxx Libcurl	Version 7.27.0
Haxx Libcurl	Version 7.28.0
Haxx Libcurl	Version 7.28.1
Haxx Libcurl	Version 7.29.0
Haxx Libcurl	Version 7.30.0
Haxx Libcurl	Version 7.31.0
Haxx Libcurl	Version 7.32.0
Haxx Libcurl	Version 7.33.0
Haxx Libcurl	Version 7.34.0
Haxx Libcurl	Version 7.35.0
Haxx Libcurl	Version 7.36.0

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (24)

http://curl.haxx.se/docs/adv_20140326D.html

Source: cve@mitre.org

PatchVendor Advisory

http://seclists.org/oss-sec/2014/q1/585

Source: cve@mitre.org

http://seclists.org/oss-sec/2014/q1/586

Source: cve@mitre.org

http://secunia.com/advisories/57836

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/57966

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/57968

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/59458

Source: cve@mitre.org

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

Source: cve@mitre.org

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

Source: cve@mitre.org

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

Source: cve@mitre.org

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

Source: cve@mitre.org

http://www.securityfocus.com/bid/66296

Source: cve@mitre.org

http://curl.haxx.se/docs/adv_20140326D.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://seclists.org/oss-sec/2014/q1/585

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/oss-sec/2014/q1/586

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/57836

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/57966

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/57968

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/59458

Source: af854a3a-2127-422b-91ae-364da2661108

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/66296

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.