Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

CVE-2014-2522

UNKNOWN

Published 2014-04-18T19:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2014-2522. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-wrgp-wm42-6wqv

Advisory Details

curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.

CVSS Scoring

CVSS Score

5.0

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2014-2522

WEB http://curl.haxx.se/docs/adv_20140326D.html

WEB http://seclists.org/oss-sec/2014/q1/585

WEB http://seclists.org/oss-sec/2014/q1/586

WEB http://secunia.com/advisories/57836

WEB http://secunia.com/advisories/57966

WEB http://secunia.com/advisories/57968

WEB http://secunia.com/advisories/59458

WEB http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

WEB http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release

WEB http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release

WEB http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release

WEB http://www.securityfocus.com/bid/66296

Advisory provided by GitHub Security Advisory Database. Published: May 17, 2022, Modified: April 12, 2025

References

http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862

http://secunia.com/advisories/57836

http://www.securityfocus.com/bid/66296

http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/

http://secunia.com/advisories/59458

http://seclists.org/oss-sec/2014/q1/586

http://secunia.com/advisories/57968

http://seclists.org/oss-sec/2014/q1/585

http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

http://curl.haxx.se/docs/adv_20140326D.html

http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/

http://secunia.com/advisories/57966

HackerOne Reports

CVE-2024-2466: TLS certificate check bypass with mbedTLS Medium

frankyueh

curl

Improper Validation of Certificate with Host Mismatch

Published: 2014-04-18T19:00:00

Last Modified: 2024-08-06T10:14:26.532Z

Copied to clipboard!