CVE-2013-1944

EUVD-2013-1936
The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
haxxcurl
𝑥
≤ 7.29.0
haxxcurl
6.0
haxxcurl
6.1
haxxcurl
6.1:beta
haxxcurl
6.2
haxxcurl
6.3
haxxcurl
6.3.1
haxxcurl
6.4
haxxcurl
6.5
haxxcurl
6.5.1
haxxcurl
6.5.2
haxxcurl
7.1
haxxcurl
7.1.1
haxxcurl
7.2
haxxcurl
7.2.1
haxxcurl
7.3
haxxcurl
7.4
haxxcurl
7.4.1
haxxcurl
7.4.2
haxxcurl
7.5.1
haxxcurl
7.5.2
haxxcurl
7.6
haxxcurl
7.6.1
haxxcurl
7.7
haxxcurl
7.7.1
haxxcurl
7.7.2
haxxcurl
7.7.3
haxxcurl
7.8
haxxcurl
7.8.1
haxxcurl
7.9
haxxcurl
7.9.1
haxxcurl
7.9.2
haxxcurl
7.9.3
haxxcurl
7.9.4
haxxcurl
7.9.5
haxxcurl
7.9.6
haxxcurl
7.9.7
haxxcurl
7.9.8
haxxcurl
7.10
haxxcurl
7.10.1
haxxcurl
7.10.2
haxxcurl
7.10.3
haxxcurl
7.10.4
haxxcurl
7.10.5
haxxcurl
7.10.6
haxxcurl
7.10.7
haxxcurl
7.10.8
haxxcurl
7.11.0
haxxcurl
7.11.1
haxxcurl
7.11.2
haxxcurl
7.12.0
haxxcurl
7.12.1
haxxcurl
7.12.2
haxxcurl
7.12.3
haxxcurl
7.13.0
haxxcurl
7.13.1
haxxcurl
7.13.2
haxxcurl
7.14.0
haxxcurl
7.14.1
haxxcurl
7.15.0
haxxcurl
7.15.1
haxxcurl
7.15.2
haxxcurl
7.15.3
haxxcurl
7.15.4
haxxcurl
7.15.5
haxxcurl
7.16.0
haxxcurl
7.16.1
haxxcurl
7.16.2
haxxcurl
7.16.3
haxxcurl
7.16.4
haxxcurl
7.17.0
haxxcurl
7.17.1
haxxcurl
7.18.0
haxxcurl
7.18.1
haxxcurl
7.18.2
haxxcurl
7.19.0
haxxcurl
7.19.1
haxxcurl
7.19.2
haxxcurl
7.19.3
haxxcurl
7.19.4
haxxcurl
7.19.5
haxxcurl
7.19.6
haxxcurl
7.19.7
haxxcurl
7.20.0
haxxcurl
7.20.1
haxxcurl
7.21.0
haxxcurl
7.21.1
haxxcurl
7.21.2
haxxcurl
7.21.3
haxxcurl
7.21.4
haxxcurl
7.21.5
haxxcurl
7.21.6
haxxcurl
7.21.7
haxxcurl
7.22.0
haxxcurl
7.23.0
haxxcurl
7.23.1
haxxcurl
7.24.0
haxxcurl
7.25.0
haxxcurl
7.26.0
haxxcurl
7.27.0
haxxcurl
7.28.0
haxxcurl
7.28.1
haxxlibcurl
𝑥
≤ 7.29.0
haxxlibcurl
7.14.0
haxxlibcurl
7.14.1
haxxlibcurl
7.15.0
haxxlibcurl
7.15.1
haxxlibcurl
7.15.2
haxxlibcurl
7.15.3
haxxlibcurl
7.15.4
haxxlibcurl
7.15.5
haxxlibcurl
7.16.0
haxxlibcurl
7.16.2
haxxlibcurl
7.16.3
haxxlibcurl
7.16.4
haxxlibcurl
7.17.0
haxxlibcurl
7.17.1
haxxlibcurl
7.18.0
haxxlibcurl
7.18.2
haxxlibcurl
7.19.3
haxxlibcurl
7.20.0
haxxlibcurl
7.21.2
haxxlibcurl
7.22.0
haxxlibcurl
7.23.0
haxxlibcurl
7.28.0
haxxlibcurl
7.28.1
canonicalubuntu_linux
8.04
canonicalubuntu_linux
10.04
canonicalubuntu_linux
11.10
canonicalubuntu_linux
12.04
canonicalubuntu_linux
12.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
hardy
Fixed 7.18.0-1ubuntu2.4
released
lucid
Fixed 7.19.7-1ubuntu1.2
released
oneiric
Fixed 7.21.6-3ubuntu3.3
released
precise
Fixed 7.22.0-3ubuntu4.1
released
quantal
Fixed 7.27.0-1ubuntu1.2
released
Common Weakness Enumeration
References
http://curl.haxx.se/docs/adv_20130412.html
http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106606.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00013.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00016.html
http://rhn.redhat.com/errata/RHSA-2013-0771.html
http://secunia.com/advisories/53044
http://secunia.com/advisories/53051
http://secunia.com/advisories/53097
http://www.debian.org/security/2012/dsa-2660
http://www.mandriva.com/security/advisories?name=MDVSA-2013:151
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.osvdb.org/92316
http://www.securityfocus.com/bid/59058
http://www.ubuntu.com/usn/USN-1801-1
https://bugzilla.redhat.com/show_bug.cgi?id=950577
https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121
http://curl.haxx.se/docs/adv_20130412.html
http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106606.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00013.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00016.html
http://rhn.redhat.com/errata/RHSA-2013-0771.html
http://secunia.com/advisories/53044
http://secunia.com/advisories/53051
http://secunia.com/advisories/53097
http://www.debian.org/security/2012/dsa-2660
http://www.mandriva.com/security/advisories?name=MDVSA-2013:151
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.osvdb.org/92316
http://www.securityfocus.com/bid/59058
http://www.ubuntu.com/usn/USN-1801-1
https://bugzilla.redhat.com/show_bug.cgi?id=950577
https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121