SB2014041723 - Improper Authentication in curl (Alpine package)
Published: April 17, 2014
Security Bulletin ID
SB2014041723
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper Authentication (CVE-ID: CVE-2014-0138)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e57c1f8b95e9a6aecc75e9eaae6c7bf9e259adb6
- https://git.alpinelinux.org/aports/commit/?id=81797c691fdcca7f9b1373c27992ccf283075fe9
- https://git.alpinelinux.org/aports/commit/?id=c06e486361bfb260c36b661c47d03ff912df9539
- https://git.alpinelinux.org/aports/commit/?id=39696e7a1a7079578ea07cb9514fd0c50105340e
- https://git.alpinelinux.org/aports/commit/?id=0b5317d5717ad95fbe3c5737438b3f62f5457f61
- https://git.alpinelinux.org/aports/commit/?id=4bdd777b8634c3c2ef8d4bb6254f22cea78b46d6
- https://git.alpinelinux.org/aports/commit/?id=048866caef02c40bdbde05133737726cf92b0e42
- https://git.alpinelinux.org/aports/commit/?id=b40a99c8c0a04a119db0f5fad7fbe186981f054c
- https://git.alpinelinux.org/aports/commit/?id=d22f56928998d4f1d0de70ae7b6517b512e7b9b3