CURL-CVE-2014-3620

See a problem?

Source

https://curl.se/docs/CVE-2014-3620.html

Import Source

https://curl.se/docs/CURL-CVE-2014-3620.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2014-3620

Aliases

CVE-2014-3620

Published

2014-09-10T08:00:00Z

Modified

2024-06-07T13:53:51Z

Summary

cookie leak for TLDs

Details

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.

References

Credits

- Tim Ruehsen - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.31.0

Fixed

7.38.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

85b9dc80232d1d7d48ee4dea6db5a2263ee68efd

Fixed

a76825a5efa6b41d3a1d4f275dada2f017f6f566

Affected versions

7.*

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1