CURL-CVE-2014-8151
- Source
- https://curl.se/docs/CVE-2014-8151.html
- Import Source
- https://curl.se/docs/CURL-CVE-2014-8151.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2014-8151
- Aliases
-
- CVE-2014-8151
- Published
- 2015-01-08T08:00:00Z
- Modified
- 2026-05-19T11:21:50Z
- Summary
- Secure Transport certificate check bypass
- Details
-
libcurl stores TLS Session IDs in its associated Session ID cache when it connects to TLS servers. In subsequent connects it reuses the entry in the cache to resume the TLS connection faster than when doing a full TLS handshake. The actual implementation for the Session ID caching varies depending on the underlying TLS backend.
libcurl allows applications to switch off certificate verification in two different ways - using
CURLOPT_SSL_VERIFYHOSTandCURLOPT_SSL_VERIFYPEER.When an application connected to a TLS server with certificate verification disabled, it would store the Session ID in the cache and if then a subsequent connection was made against the same host and port number, it would reuse the former session and thanks to the reused session from the cache, it would skip the certificate check and wrongly accept any bad certificate that could be presented.
The problem was that the "key" used for caching Session IDs did not take the certificate check status into account.
This problem is specific to libcurl built to use the Secure Transport backend for TLS, so it can only affect Mac and iPhone based applications.
- Database specific
{ "www": "https://curl.se/docs/CVE-2014-8151.html", "URL": "https://curl.se/docs/CVE-2014-8151.json", "CWE": { "id": "CWE-297", "desc": "Improper Validation of Certificate with Host Mismatch" }, "last_affected": "7.39.0", "package": "curl", "affects": "both", "severity": "Medium" }- References
-
- Credits
-
-
- Marc Hesse at RethinkDB - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-