Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6267DE38B967CE58A1DEF6DF551BAD027CBFF54363ECBB40F2FC6D3AD4190A8D
HistorySep 23, 2021 - 1:31 a.m.

Security Bulletin: Vulnerabilities in curl affect Power Hardware Management Console (CVE-2015-3143 CVE-2015-3148 CVE-2015-3153 CVE-2014-3613 CVE-2014-3707 CVE-2014-8150)

2021-09-2301:31:39
www.ibm.com
18

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.013 Low

EPSS

Percentile

84.1%

JSON

Summary

curl is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-3143**
DESCRIPTION:** libcurl could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102888 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-3148**
DESCRIPTION:** libcurl and cRUL could allow a remote attacker to bypass security restrictions, caused by improper use of the negotiate authentication method. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions and connect as other users.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-3153**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by custom HTTP headers with sensitive content being sent to the server and intermediate proxy by the CURLOPT_HTTPHEADER option. An attacker could exploit this vulnerability to obtain authentication cookies or other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2014-3613**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the failure to properly detect and reject domain names for IP addresses. An attacker could exploit this vulnerability to send cookies to an incorrect site.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95925 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2014-3707**
DESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by an error in the curl_easy_duphandle() function. An attacker could exploit this vulnerability to corrupt heap memory and obtain sensitive information or cause a denial of service.
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98562 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)

CVEID: CVE-2014-8150**
DESCRIPTION:** libcURL is vulnerable to CRLF injection, caused by the improper handling of URLs with embedded end-of-line characters. By persuading a victim to click on a specially-crafted URL link using an HTTP proxy, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100567 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Power HMC V7.9.0.0
Power HMC V8.1.0.0
Power HMC V8.2.0.0
Power HMC V8.3.0.0
Power HMC V8.4.0.0

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation/Fix

—|—|—|—

Power HMC

|

V7.7.9.0 SP2

|

MB03974

|

Apply eFix MH01579

Power HMC

|

V8.8.1.0 SP2

|

MB03975

|

Apply eFix MH01580

Power HMC

|

V8.8.2.0 SP2

|

MB03976

|

Apply eFix MH01581

Power HMC

|

V8.8.3.0 SP1

|

MB03977

|

Apply eFix MH01582

Power HMC

|

V8.8.4.0

|

MH01559

|

Apply eFix MH01560

Workarounds and Mitigations

None

Related

ibm 10
redhat 2
oraclelinux 2
nessus 58
openvas 40
centos 2
veracode 6
f5 4
fedora 9
amazon 2
debian 10
securityvulns 7
osv 7
ubuntu 3
mageia 4
altlinux 2
kaspersky 1
hackerone 2
freebsd 3
debiancve 5
prion 5
cve 5
archlinux 4
ubuntucve 5
checkpoint_advisories 1
ibm
ibm
Security Bulletin: Vulnerabilities in curl affect IBM Security Network Intrusion Prevention System
2022-02-23 19:48:26
Security Bulletin: Multiple vulnerabilities in curl affect IBM Flex System Manager (FSM)
2018-06-18 01:30:20
Security Bulletin: Vulnerabilities in curl affect IBM Security Network Protection
2018-06-16 21:30:39
redhat
redhat
(RHSA-2015:2159) Moderate: curl security, bug fix, and enhancement update
2015-11-19 14:41:12
(RHSA-2015:1254) Moderate: curl security, bug fix, and enhancement update
2015-07-22 05:29:46
oraclelinux
oraclelinux
curl security, bug fix, and enhancement update
2015-11-23 00:00:00
curl security, bug fix, and enhancement update
2015-07-28 00:00:00
nessus
nessus
RHEL 6 : curl (RHSA-2015:1254)
2015-07-22 00:00:00
Scientific Linux Security Update : curl on SL7.x x86_64 (20151119)
2015-12-22 00:00:00
Scientific Linux Security Update : curl on SL6.x i386/x86_64 (20150722)
2015-08-04 00:00:00
openvas
openvas
RedHat Update for curl RHSA-2015:2159-06
2015-11-20 00:00:00
RedHat Update for curl RHSA-2015:1254-02
2015-07-23 00:00:00
Oracle: Security Advisory (ELSA-2015-1254)
2015-10-06 00:00:00
centos
centos
curl, libcurl security update
2015-07-26 14:12:23
curl, libcurl security update
2015-11-30 19:26:37
veracode
veracode
CRLF Injection
2019-05-02 05:40:50
Authentication Bypass
2018-05-16 08:57:04
Cookie Leak
2019-01-15 09:06:32
f5
f5
K85307687 : cURL and libcurl vulnerabilities CVE-2014-3613, CVE-2014-3707, and CVE-2014-8150
2016-11-16 00:00:00
SOL85307687 - cURL and libcurl vulnerabilities CVE-2014-3613, CVE-2014-3707, and CVE-2014-8150
2016-11-16 00:00:00
SOL16707 - cURL and libcurl vulnerability CVE-2015-3148
2015-05-29 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: mingw-curl-7.42.0-1.fc21
2015-05-04 15:28:35
[SECURITY] Fedora 22 Update: mingw-curl-7.42.0-1.fc22
2015-05-01 16:51:59
[SECURITY] Fedora 21 Update: curl-7.37.0-14.fc21
2015-05-02 18:11:42
amazon
amazon
Medium: curl
2015-02-11 19:36:00
Medium: curl
2015-04-22 16:14:00
debian
debian
[SECURITY] [DLA 211-1] curl security update
2015-04-29 20:42:59
[SECURITY] [DSA 3232-1] curl security update
2015-04-22 12:08:24
[SECURITY] [DLA 134-1] curl security update
2015-01-15 21:10:23
securityvulns
securityvulns
[ MDVSA-2015:220 ] curl
2015-05-04 00:00:00
[USN-2591-1] curl vulnerabilities
2015-05-05 00:00:00
[ MDVSA-2015:021 ] curl
2015-01-13 00:00:00
osv
osv
curl - security update
2015-04-29 00:00:00
curl - security update
2015-04-22 00:00:00
curl - security update
2015-01-15 00:00:00
ubuntu
ubuntu
curl vulnerabilities
2015-04-30 00:00:00
curl vulnerability
2015-01-15 00:00:00
curl vulnerability
2014-11-10 00:00:00
mageia
mageia
Updated curl packages fix security vulnerabilities
2015-05-03 03:19:16
Updated curl packages fix CVE-2014-8150
2015-01-09 19:44:12
Updated curl packages fix security vulnerabilities
2014-09-24 20:44:28
altlinux
altlinux
Security fix for the ALT Linux 8 package curl version 7.42.0-alt1
2015-04-22 00:00:00
Security fix for the ALT Linux 8 package curl version 7.42.1-alt1
2015-04-29 00:00:00
kaspersky
kaspersky
KLA10566 Multiple vulnerabilities in cURL
2015-04-24 00:00:00
hackerone
hackerone
Internet Bug Bounty: libcurl: URL request injection
2014-12-25 00:00:00
Internet Bug Bounty: libcurl duphandle read out of bounds
2015-09-16 00:00:00
freebsd
freebsd
cURL -- URL request injection vulnerability
2014-12-25 00:00:00
asterisk -- Mitigation for libcURL HTTP request injection vulnerability
2015-01-12 00:00:00
cURL -- sensitive HTTP server headers also sent to proxies
2015-04-29 00:00:00
debiancve
debiancve
CVE-2014-8150
2015-01-15 15:59:00
CVE-2015-3148
2015-04-24 14:59:00
CVE-2014-3707
2014-11-15 20:59:00
prion
prion
Crlf injection
2015-01-15 15:59:00
Cross site request forgery (csrf)
2015-04-24 14:59:00
Code injection
2014-11-18 15:59:00
cve
cve
CVE-2014-8150
2015-01-15 15:59:00
CVE-2015-3148
2015-04-24 14:59:00
CVE-2014-3613
2014-11-18 15:59:00
archlinux
archlinux
curl: url request injection
2015-01-18 00:00:00
curl: multiple issues
2015-04-24 00:00:00
curl: out-of-bounds read
2014-11-11 00:00:00
ubuntucve
ubuntucve
CVE-2014-8150
2015-01-08 00:00:00
CVE-2015-3148
2015-04-22 00:00:00
CVE-2014-3613
2014-09-10 00:00:00
checkpoint_advisories
checkpoint_advisories
Web Server HTTP Request URL Injection (CVE-2014-8150)
2016-08-28 00:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.013 Low

EPSS

Percentile

84.1%

JSON
Related for 6267DE38B967CE58A1DEF6DF551BAD027CBFF54363ECBB40F2FC6D3AD4190A8D
ibm10redhat2oraclelinux2nessus58openvas40centos2veracode6f54fedora9amazon2debian10securityvulns7osv7ubuntu3mageia4altlinux2kaspersky1hackerone2freebsd3debiancve5prion5cve5archlinux4ubuntucve5checkpoint_advisories1