{"id":"CURL-CVE-2014-0139","summary":"IP address wildcard certificate validation","details":"libcurl incorrectly validates wildcard SSL certificates containing literal\nIP addresses.\n\nRFC 2818 covers the requirements for matching Common Names (CNs) and\nsubjectAltNames in order to establish valid SSL connections. It first\ndiscusses CNs that are for hostnames, and the rules for wildcards in this\ncase. The next paragraph in the RFC then discusses CNs that are IP addresses:\n\n'In some cases, the URI is specified as an IP address rather than a\nhostname. In this case, the `iPAddress` subjectAltName must be present in the\ncertificate and must exactly match the IP in the URI.'\n\nThe intention of the RFC is clear in that you should not be able to use\nwildcards with IP addresses (in order to avoid the ability to perform\nman-in-the-middle attacks). Unfortunately libcurl fails to adhere to this\nrule under certain conditions, and subsequently it would allow and use a\nwildcard match specified in the CN field.\n\nExploiting this flaw, a malicious server could participate in a MITM attack or\njust easier fool users that it is a legitimate site for whatever purpose, when\nit actually is not.\n\nA good CA should refuse to issue a certificate with the CN as indicated,\nhowever there only need be one CA to issue one in error for this issue to\nresult in the user getting no warning at all and being vulnerable to MITM.\n\nThis flaw is only present in libcurl when built to use one out of a few\nspecific TLS libraries: OpenSSL, axTLS, qsossl or gskit.\n\nThis problem is similar to one previously reported by Richard Moore, found in\nmultiple browsers.","aliases":["CVE-2014-0139"],"modified":"2024-06-07T13:53:51Z","published":"2014-03-26T08:00:00Z","database_specific":{"affects":"both","package":"curl","URL":"https://curl.se/docs/CVE-2014-0139.json","www":"https://curl.se/docs/CVE-2014-0139.html","CWE":{"desc":"Improper Validation of Certificate with Host Mismatch","id":"CWE-297"},"severity":"Medium","last_affected":"7.35.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.10.3"},{"fixed":"7.36.0"}]}],"versions":["7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2014-0139.json"}}],"schema_version":"1.7.3","credits":[{"name":"Richard Moore","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}