Back to search
CVE-2014-8151
Published: Jan 15, 2015
Modified: Aug 6, 2024
PUBLISHED
Description
The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
APPLE-SA-2015-08-13-2
vendor-advisory
x_refsource_APPLE
http://curl.haxx.se/docs/adv_20150108A.html
x_refsource_CONFIRM
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
x_refsource_CONFIRM
https://support.apple.com/kb/HT205031
x_refsource_CONFIRM
GLSA-201701-47
vendor-advisory
x_refsource_GENTOO
61925
third-party-advisory
x_refsource_SECUNIA
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now