SB2014041108 - Amazon Linux AMI update for curl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014041108

SB2014041108 - Amazon Linux AMI update for curl

Published: April 11, 2014

Security Bulletin ID SB2014041108
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2014-0015)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.


2) Improper Authentication (CVE-ID: CVE-2014-0138)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.


Remediation

Install update from vendor's website.

References