CVE-2014-8151CVE-2014-8151

Affected configuration(s):

cpe:/a:haxx:libcurl:7.31.0
cpe:/a:haxx:libcurl:7.32.0
cpe:/a:haxx:libcurl:7.33.0
cpe:/a:haxx:libcurl:7.34.0
cpe:/a:haxx:libcurl:7.35.0
cpe:/a:haxx:libcurl:7.36.0
cpe:/a:haxx:libcurl:7.37.0
cpe:/a:haxx:libcurl:7.37.1
cpe:/a:haxx:libcurl:7.38.0
cpe:/a:haxx:libcurl:7.39
cpe:/o:apple:mac_os_x:10.10.4

Date published: 2015-01-15T10:59:07.670-05:00

Date last modified: 2017-06-30T21:29:07.907-04:00

CVSS Score: 5.8

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://curl.haxx.se/docs/adv_20150108A.html

Summary: The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.