CVE-2014-2522CVE-2014-2522

Affected configuration(s):

cpe:/a:haxx:curl:7.27.0
cpe:/a:haxx:curl:7.28.0
cpe:/a:haxx:curl:7.28.1
cpe:/a:haxx:curl:7.29.0
cpe:/a:haxx:curl:7.30.0
cpe:/a:haxx:curl:7.31.0
cpe:/a:haxx:curl:7.32.0
cpe:/a:haxx:curl:7.33.0
cpe:/a:haxx:curl:7.34.0
cpe:/a:haxx:curl:7.35.0
cpe:/a:haxx:libcurl:7.27.0
cpe:/a:haxx:libcurl:7.28.0
cpe:/a:haxx:libcurl:7.28.1
cpe:/a:haxx:libcurl:7.29.0
cpe:/a:haxx:libcurl:7.30.0
cpe:/a:haxx:libcurl:7.31.0
cpe:/a:haxx:libcurl:7.32.0
cpe:/a:haxx:libcurl:7.33.0
cpe:/a:haxx:libcurl:7.34.0
cpe:/a:haxx:libcurl:7.35.0
cpe:/a:haxx:libcurl:7.36.0

Date published: 2014-04-18T18:14:38.587-04:00

Date last modified: 2017-04-28T21:59:01.413-04:00

CVSS Score: 4.0

Principal attack vector: NETWORK

Complexity:  HIGH

Reference URL: http://curl.haxx.se/docs/adv_20140326D.html

Summary: curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.