Executive Summary

Informations
NameCVE-2013-1944First vendor Publication2013-04-29
VendorCveLast vendor Modification2016-09-08

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944

CWE : Common Weakness Enumeration

%idName
100 %CWE-200Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20280
 
Oval ID: oval:org.mitre.oval:def:20280
Title: RHSA-2013:0771: curl security update (Moderate)
Description: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
Family: unix Class: patch
Reference(s): RHSA-2013:0771-01
CESA-2013:0771
CVE-2013-1944
Version: 4
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20032
 
Oval ID: oval:org.mitre.oval:def:20032
Title: DSA-2660-1 curl - cookie leak vulnerability
Description: Yamada Yasuharu discovered that cURL, an URL transfer library, is vulnerable to expose potentially sensitive information when doing requests across domains with matching tails. Due to a bug in the tail match function when matching domain names, it was possible that cookies set for a domain <q>ample.com</q> could accidentally also be sent by libcurl when communicating with <q>example.com</q>.
Family: unix Class: patch
Reference(s): DSA-2660-1
CVE-2013-1944
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18259
 
Oval ID: oval:org.mitre.oval:def:18259
Title: USN-1801-1 -- curl vulnerability
Description: Applications using libcurl could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-1801-1
CVE-2013-1944
Version: 7
Platform(s): Ubuntu 12.10
Ubuntu 12.04
Ubuntu 11.10
Ubuntu 10.04
Ubuntu 8.04
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23950
 
Oval ID: oval:org.mitre.oval:def:23950
Title: ELSA-2013:0771: curl security update (Moderate)
Description: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
Family: unix Class: patch
Reference(s): ELSA-2013:0771-01
CVE-2013-1944
Version: 6
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23498
 
Oval ID: oval:org.mitre.oval:def:23498
Title: DEPRECATED: ELSA-2013:0771: curl security update (Moderate)
Description: The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
Family: unix Class: patch
Reference(s): ELSA-2013:0771-01
CVE-2013-1944
Version: 7
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26023
 
Oval ID: oval:org.mitre.oval:def:26023
Title: SUSE-SU-2013:0771-1 -- Security update for curl
Description: This update fixes the cookie domain tailmatch vulnerability in curl. CVE-2013-1944 has been assigned to this issue. Security Issue reference: * CVE-2013-1944 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944 >
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0771-1
CVE-2013-1944
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25795
 
Oval ID: oval:org.mitre.oval:def:25795
Title: SUSE-SU-2013:0772-1 -- Security update for compat-curl2
Description: This update of compat-curl2 fixes several security issues. * fixes for the cookie domain tailmatch vulnerability (bnc#814655) * updated curl CA-Cert Bundle (bnc#810010) * fixes for a potential BEAST attack (bnc#742306) Security Issue reference: * CVE-2013-1944 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944 >
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0772-1
CVE-2013-1944
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 10
Product(s): compat-curl2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25538
 
Oval ID: oval:org.mitre.oval:def:25538
Title: SUSE-SU-2013:0773-1 -- Security update for curl, curl
Description: This update fixes the cookie domain tailmatch vulnerability in curl. CVE-2013-1944 has been assigned to this issue. Also the CA-Cert Bundle has been updated to the current state. Security Issue reference: * CVE-2013-1944 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944 >
Family: unix Class: patch
Reference(s): SUSE-SU-2013:0773-1
CVE-2013-1944
Version: 3
Platform(s): SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 10
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27357
 
Oval ID: oval:org.mitre.oval:def:27357
Title: DEPRECATED: ELSA-2013-0771 -- curl security update (moderate)
Description: [7.19.7-36] - fix cookie tailmatching to prevent cross-domain leakage (CVE-2013-1944)
Family: unix Class: patch
Reference(s): ELSA-2013-0771
CVE-2013-1944
Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): curl
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application103
Application103
Os5

Nessus® Vulnerability Scanner

DateDescription
2016-06-22Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2016-0056.nasl - Type : ACT_GATHER_INFO
2015-01-19Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_libcurl_20140415.nasl - Type : ACT_GATHER_INFO
2014-11-28Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15875.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-369.nasl - Type : ACT_GATHER_INFO
2014-01-21Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201401-14.nasl - Type : ACT_GATHER_INFO
2013-10-23Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_10_9.nasl - Type : ACT_GATHER_INFO
2013-09-04Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-210.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0771.nasl - Type : ACT_GATHER_INFO
2013-07-10Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libcurl4-8618.nasl - Type : ACT_GATHER_INFO
2013-05-26Name : The remote Fedora host is missing a security update.
File : fedora_2013-7797.nasl - Type : ACT_GATHER_INFO
2013-05-15Name : The remote Fedora host is missing a security update.
File : fedora_2013-7813.nasl - Type : ACT_GATHER_INFO
2013-05-09Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_curl-130416.nasl - Type : ACT_GATHER_INFO
2013-05-09Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_curl-8550.nasl - Type : ACT_GATHER_INFO
2013-05-06Name : The remote Fedora host is missing a security update.
File : fedora_2013-6766.nasl - Type : ACT_GATHER_INFO
2013-05-01Name : The remote Fedora host is missing a security update.
File : fedora_2013-6780.nasl - Type : ACT_GATHER_INFO
2013-04-29Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-151.nasl - Type : ACT_GATHER_INFO
2013-04-26Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130424_curl_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-04-25Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0771.nasl - Type : ACT_GATHER_INFO
2013-04-25Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0771.nasl - Type : ACT_GATHER_INFO
2013-04-22Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2660.nasl - Type : ACT_GATHER_INFO
2013-04-22Name : The remote Fedora host is missing a security update.
File : fedora_2013-5598.nasl - Type : ACT_GATHER_INFO
2013-04-18Name : The remote Fedora host is missing a security update.
File : fedora_2013-5618.nasl - Type : ACT_GATHER_INFO
2013-04-16Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1801-1.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

SourceUrl
APPLE http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
BID http://www.securityfocus.com/bid/59058
CONFIRM http://curl.haxx.se/docs/adv_20130412.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546....
https://github.com/bagder/curl/commit/2eb8dcf26cb37f09cffe26909a646e702dbcab66
DEBIAN http://www.debian.org/security/2012/dsa-2660
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102056.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102711.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104207.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/104598.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105539.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106606.html
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2013:151
MISC https://bugzilla.redhat.com/show_bug.cgi?id=950577
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121
REDHAT http://rhn.redhat.com/errata/RHSA-2013-0771.html
SUSE http://lists.opensuse.org/opensuse-updates/2013-06/msg00013.html
http://lists.opensuse.org/opensuse-updates/2013-06/msg00016.html
UBUNTU http://www.ubuntu.com/usn/USN-1801-1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
DateInformations
2018-05-25 12:04:49
  • Multiple Updates
2016-09-09 09:23:16
  • Multiple Updates
2016-06-28 19:26:29
  • Multiple Updates
2016-06-23 13:29:27
  • Multiple Updates
2016-04-26 23:03:06
  • Multiple Updates
2015-01-21 13:26:07
  • Multiple Updates
2014-11-29 13:27:08
  • Multiple Updates
2014-06-14 13:35:12
  • Multiple Updates
2014-02-17 11:18:40
  • Multiple Updates
2013-12-01 13:18:51
  • Multiple Updates
2013-10-31 13:20:03
  • Multiple Updates
2013-06-21 13:19:38
  • Multiple Updates
2013-05-10 22:30:13
  • Multiple Updates
2013-04-30 21:20:20
  • Multiple Updates
2013-04-30 13:19:46
  • First insertion