Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-8151

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2014-8151
Last Modified 17 Aug 2015 09:59:55
Published 15 Jan 2015 10:59:07
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2014-8151

Summary

The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Vulnerable Systems

Application

  • Haxx Libcurl 7.31.0

  • Haxx Libcurl 7.32.0

  • Haxx Libcurl 7.33.0

  • Haxx Libcurl 7.34.0

  • Haxx Libcurl 7.35.0

  • Haxx Libcurl 7.36.0

  • Haxx Libcurl 7.37.0

  • Haxx Libcurl 7.37.1

  • Haxx Libcurl 7.38.0

  • Haxx Libcurl 7.39


References

SECUNIA - 61925

CONFIRM - http://curl.haxx.se/docs/adv_20150108A.html

CONFIRM - https://support.apple.com/kb/HT205031

APPLE - APPLE-SA-2015-08-13-2


Last Updated: 27 May 2016 11:07:33