Fedora EPEL 7 update for mingw-curl
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2014-3620 CVE-2014-3613 CVE-2014-3707 |
| CWE-ID | CWE-310 CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system mingw-curl Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Cryptographic issues
EUVDB-ID: #VU41096
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-3620
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
mingw-curl: before 7.39.0-1.el7
CPE2.3- cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:mingw-curl:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-4906
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cryptographic issues
EUVDB-ID: #VU41097
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-3613
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
mingw-curl: before 7.39.0-1.el7
CPE2.3- cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:mingw-curl:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-4906
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU66915
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-3707
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in the "curl_easy_duphandle" function. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
mingw-curl: before 7.39.0-1.el7
CPE2.3- cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:mingw-curl:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-4906
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
