CVE-2014-3613

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

Published: Nov 18, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-3613
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-310

Affected Software
References

Software	From	Fixed in
haxx / curl	7.35.0	7.35.0.x
haxx / curl	7.32.0	7.32.0.x
haxx / curl	7.33.0	7.33.0.x
haxx / curl	7.36.0	7.36.0.x
haxx / curl	-	7.37.1.x
haxx / curl	7.31.0	7.31.0.x
haxx / curl	7.34.0	7.34.0.x
haxx / curl	7.37.0	7.37.0.x
haxx / libcurl	7.37.0	7.37.0.x
haxx / libcurl	7.33.0	7.33.0.x
haxx / libcurl	7.36.0	7.36.0.x
haxx / libcurl	7.34.0	7.34.0.x
haxx / libcurl	7.31.0	7.31.0.x
haxx / libcurl	7.35.0	7.35.0.x
haxx / libcurl	-	7.37.1.x
haxx / libcurl	7.32.0	7.32.0.x
apple / mac_os_x	-	10.10.4.x

http://curl.haxx.se/docs/adv_20140910A.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
http://rhn.redhat.com/errata/RHSA-2015-1254.html
http://www.debian.org/security/2014/dsa-3022
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/69748
https://support.apple.com/kb/HT205031

Vulnerability Database

289,599

CVE-2014-3613