CURL-CVE-2014-0138

Source
https://curl.se/docs/CVE-2014-0138.html
Import Source
https://curl.se/docs/CURL-CVE-2014-0138.json
JSON Data
https://api.osv.dev/v1/vulns/CURL-CVE-2014-0138
Aliases
Published
2014-03-26T08:00:00Z
Modified
2024-06-07T13:53:51Z
Summary
wrong re-use of connections
Details

libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP.

libcurl features a pool of recent connections so that subsequent requests can re-use an existing connection to avoid overhead.

When re-using a connection a range of criterion must first be met. Due to an error in the code, a transfer that was initiated by an application could wrongfully re-use an existing connection to the same server that was authenticated using different credentials. The existing logic basically only worked well enough for HTTP and FTP, while all other network protocols were silently, but erroneously, assumed to work like HTTP. Basically, protocols that use connection oriented authentication need a new connection when new credentials are used.

Affected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and LDAP(S).

Applications can disable libcurl's re-use of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not re-used: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API).

(This problem is very similar to a problem previously reported to NTLM HTTP connections, named CVE-2014-0015)

Database specific
{
    "CWE": {
        "id": "CWE-305",
        "desc": "Authentication Bypass by Primary Weakness"
    },
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2014-0138.json",
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2014-0138.html",
    "last_affected": "7.35.0"
}
References
Credits
    • Steve Holme - FINDER
    • Steve Holme - REMEDIATION_DEVELOPER

Affected packages

Git /

Affected ranges

Type
SEMVER
Events
Introduced
7.10.6
Fixed
7.36.0

Affected versions

7.*

7.10.6
7.10.7
7.10.8
7.11.0
7.11.1
7.11.2
7.12.0
7.12.1
7.12.2
7.12.3
7.13.0
7.13.1
7.13.2
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0