CVE-2014-2522

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Published: Apr 19, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-2522
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:H/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
haxx / curl	7.27.0	7.27.0.x
haxx / curl	7.28.0	7.28.0.x
haxx / curl	7.28.1	7.28.1.x
haxx / curl	7.29.0	7.29.0.x
haxx / curl	7.30.0	7.30.0.x
haxx / curl	7.31.0	7.31.0.x
haxx / curl	7.32.0	7.32.0.x
haxx / curl	7.33.0	7.33.0.x
haxx / curl	7.34.0	7.34.0.x
haxx / curl	7.35.0	7.35.0.x
haxx / libcurl	7.27.0	7.27.0.x
haxx / libcurl	7.28.0	7.28.0.x
haxx / libcurl	7.28.1	7.28.1.x
haxx / libcurl	7.29.0	7.29.0.x
haxx / libcurl	7.30.0	7.30.0.x
haxx / libcurl	7.31.0	7.31.0.x
haxx / libcurl	7.32.0	7.32.0.x
haxx / libcurl	7.33.0	7.33.0.x
haxx / libcurl	7.34.0	7.34.0.x
haxx / libcurl	7.35.0	7.35.0.x
haxx / libcurl	7.36.0	7.36.0.x

Vulnerability Database

289,599

CVE-2014-2522