CVE-2014-3613
curl and libcurl < 7.37.1 - Cookie Domain Validation Bypass via IP Address Handling
Title source: llmDescription
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
References (11)
Core 11
Core References
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Patch x_refsource_confirm
http://curl.haxx.se/docs/adv_20140910A.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Vendor Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/69748
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT205031
Vendor Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2014/dsa-3022
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1254.html
Scores
EPSS
0.0182
EPSS Percentile
83.1%
Details
CWE
CWE-310
Status
published
Products (17)
apple/mac_os_x
< 10.10.4
haxx/curl
7.31.0
haxx/curl
7.32.0
haxx/curl
7.33.0
haxx/curl
7.34.0
haxx/curl
7.35.0
haxx/curl
7.36.0
haxx/curl
7.37.0
haxx/curl
< 7.37.1
haxx/libcurl
7.31.0
... and 7 more
Published
Nov 18, 2014
Tracked Since
Feb 18, 2026