CVE-2014-8150

critical

Description

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.

References

https://support.apple.com/kb/HT205031

https://security.gentoo.org/glsa/201701-47

https://kc.mcafee.com/corporate/index?page=content&id=SB10131

http://www.ubuntu.com/usn/USN-2474-1

http://www.securitytracker.com/id/1032768

http://www.securityfocus.com/bid/71964

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.mandriva.com/security/advisories?name=MDVSA-2015:021

http://www.debian.org/security/2015/dsa-3122

http://secunia.com/advisories/62361

http://secunia.com/advisories/62075

http://secunia.com/advisories/61925

http://rhn.redhat.com/errata/RHSA-2015-1254.html

http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743

http://curl.haxx.se/docs/adv_20150108B.html

http://advisories.mageia.org/MGASA-2015-0020.html

Details

Source: Mitre, NVD

Published: 2015-01-15

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical