9 matches found
K15807: cURL and libcurl vulnerability CVE-2014-1263
Security Advisory Description curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.50...
CVE-2014-8151
The darwinsslconnectstep1 function in lib/vtls/curldarwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL aka SecureTransport back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to...
CVE-2014-8151
The darwinsslconnectstep1 function in lib/vtls/curldarwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL aka SecureTransport back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to...
Code injection
The darwinsslconnectstep1 function in lib/vtls/curldarwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL aka SecureTransport back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to...
CVE-2014-8151
The darwinsslconnectstep1 function in lib/vtls/curldarwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL aka SecureTransport back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to...
CVE-2014-1263
curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate when accessing a...
Code injection
curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate when accessing a...
CVE-2014-1263
curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate when accessing a...
CVE-2014-1263
CVE-2014-1263 affects curl/libcurl 7.27.0–7.35.0 when using the SecureTransport/Darwinssl backend on macOS (OS X 10.9.x before 10.9.2). The flaw disables hostname verification for certificates when connecting to URLs that use IP addresses, allowing MITM attackers to spoof servers with arbitrary v...