CVE-2014-2522

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:P/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
haxxcurl
7.27.0
haxxcurl
7.28.0
haxxcurl
7.28.1
haxxcurl
7.29.0
haxxcurl
7.30.0
haxxcurl
7.31.0
haxxcurl
7.32.0
haxxcurl
7.33.0
haxxcurl
7.34.0
haxxcurl
7.35.0
haxxlibcurl
7.27.0
haxxlibcurl
7.28.0
haxxlibcurl
7.28.1
haxxlibcurl
7.29.0
haxxlibcurl
7.30.0
haxxlibcurl
7.31.0
haxxlibcurl
7.32.0
haxxlibcurl
7.33.0
haxxlibcurl
7.34.0
haxxlibcurl
7.35.0
haxxlibcurl
7.36.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
saucy
not-affected
quantal
not-affected
precise
not-affected
lucid
not-affected
Common Weakness Enumeration
References
http://curl.haxx.se/docs/adv_20140326D.html
http://seclists.org/oss-sec/2014/q1/585
http://seclists.org/oss-sec/2014/q1/586
http://secunia.com/advisories/57836
http://secunia.com/advisories/57966
http://secunia.com/advisories/57968
http://secunia.com/advisories/59458
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
http://www.securityfocus.com/bid/66296
http://curl.haxx.se/docs/adv_20140326D.html
http://seclists.org/oss-sec/2014/q1/585
http://seclists.org/oss-sec/2014/q1/586
http://secunia.com/advisories/57836
http://secunia.com/advisories/57966
http://secunia.com/advisories/57968
http://secunia.com/advisories/59458
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
http://www.securityfocus.com/bid/66296