Lucene search

K
amazonAmazonALAS-2014-322
HistoryApr 10, 2014 - 11:54 p.m.

Medium: curl

2014-04-1023:54:00
alas.aws.amazon.com
19

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.008

Percentile

81.1%

Issue Overview:

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.

Affected Packages:

curl

Issue Correction:
Run yum update curl to update your system.

New Packages:

i686:  
    curl-7.36.0-2.44.amzn1.i686  
    libcurl-devel-7.36.0-2.44.amzn1.i686  
    curl-debuginfo-7.36.0-2.44.amzn1.i686  
    libcurl-7.36.0-2.44.amzn1.i686  
  
src:  
    curl-7.36.0-2.44.amzn1.src  
  
x86_64:  
    curl-debuginfo-7.36.0-2.44.amzn1.x86_64  
    curl-7.36.0-2.44.amzn1.x86_64  
    libcurl-7.36.0-2.44.amzn1.x86_64  
    libcurl-devel-7.36.0-2.44.amzn1.x86_64  

Additional References

Red Hat: CVE-2014-0138

Mitre: CVE-2014-0138

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.008

Percentile

81.1%