CVE-2014-0138
The MITRE CVE dictionary describes this issue as:
The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
Find out more about CVE-2014-0138 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the version of curl as shipped with Red Hat Enterprise Linux 5 and 7. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (curl) | RHSA-2014:0561 | 2014-05-27 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | curl | Not affected |
| Red Hat Enterprise Linux 5 | curl | Will not fix |
Acknowledgements
Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges Steve Holme as the original reporter.External References
CVE description copyright © 2017, The MITRE Corporation