CVE-2014-2522 — Vulnetix

Try Vulnetix Request Demo

CVE-2014-2522 PUBLISHED CVSS 4 MEDIUM

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

EPSS 0.29% · 52.4th percentile

Risk Scores

CVSS v2.0

4

EPSS Score

0.29%

52.4th percentile

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
haxx	libcurl	7.36.0, 7.27.0, 7.28.0
haxx	curl	7.28.0, 7.28.1, 7.29.0

Timeline

CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 10, 2022 EPSS Score
Sep 1, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
May 19, 2023 EPSS Score
Jul 10, 2023 EPSS Score

References

66296 vdb
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862 url
57836 third-party-advisory
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ url
59458 third-party-advisory
[oss-security] 20140317 Re: CVE request: flaw in curl's Windows SSL backend mailing-list
57968 third-party-advisory
[oss-security] 20140317 CVE request: flaw in curl's Windows SSL backend mailing-list
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ url
http://curl.haxx.se/docs/adv_20140326D.html url
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ url
57966 third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2014-2522 advisory
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release url
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release url
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release url

Open in Interactive Console →