{"id":"CURL-CVE-2014-3613","summary":"cookie leak with IP address as domain","details":"By not detecting and rejecting domain names for partial literal IP addresses\nproperly when parsing received HTTP cookies, libcurl can be fooled to both\nsending cookies to wrong sites and into allowing arbitrary sites to set\ncookies for others.\n\nFor this problem to trigger, the client application must use the numerical\nIP address in the URL to access the site and the site must send back cookies\nto the site using domain= and a partial IP address.\n\nSince libcurl wrongly approaches the IP address like it was a normal domain\nname, a site at IP address `192.168.0.1` can set cookies for anything ending\nwith `.168.0.1` thus fooling libcurl to send them also to for example\n`129.168.0.1`.\n\nThe flaw requires dots to be present in the IP address, which restricts the\nflaw to IPv4 literal addresses or IPv6 addresses using the somewhat unusual\n\"dotted-quad\" style: `::ffff:192.0.2.128`.\n\nThis is not believed to be done by typical sites as this is not supported by\nclients that adhere to the rules of the RFC 6265, and many sites are written\nto explicitly use their own specific named domain when sending cookies.","aliases":["CVE-2014-3613"],"modified":"2024-02-08T00:03:48Z","published":"2014-09-10T08:00:00Z","database_specific":{"www":"https://curl.se/docs/CVE-2014-3613.html","last_affected":"7.37.1","severity":"Medium","URL":"https://curl.se/docs/CVE-2014-3613.json","package":"curl","affects":"both","CWE":{"id":"CWE-201","desc":"Information Exposure Through Sent Data"}},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"4.0"},{"fixed":"7.38.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ae1912cb0d494b48d514d937826c9fe83ec96c4d"},{"fixed":"8a75dbeb2305297640453029b7905ef51b87e8dd"}]}],"versions":["7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0","7.19.7","7.19.6","7.19.5","7.19.4","7.19.3","7.19.2","7.19.1","7.19.0","7.18.2","7.18.1","7.18.0","7.17.1","7.17.0","7.16.4","7.16.3","7.16.2","7.16.1","7.16.0","7.15.5","7.15.4","7.15.3","7.15.2","7.15.1","7.15.0","7.14.1","7.14.0","7.13.2","7.13.1","7.13.0","7.12.3","7.12.2","7.12.1","7.12.0","7.11.2","7.11.1","7.11.0","7.10.8","7.10.7","7.10.6","7.10.5","7.10.4","7.10.3","7.10.2","7.10.1","7.10","7.9.8","7.9.7","7.9.6","7.9.5","7.9.4","7.9.3","7.9.2","7.9.1","7.9","7.8.1","7.8","7.7.3","7.7.2","7.7.1","7.7","7.6.1","7.6","7.5.2","7.5.1","7.5","7.4.2","7.4.1","7.4","7.3","7.2.1","7.2","7.1.1","7.1","6.5.2","6.5.1","6.5","6.4","6.3.1","6.3","6.2","6.1","6.0","5.11","5.10","5.9.1","5.9","5.8","5.7.1","5.7","5.5.1","5.5","5.4","5.3","5.2.1","5.2","5.0","4.10","4.9","4.8.4","4.8.3","4.8.2","4.8.1","4.8","4.7","4.6","4.5.1","4.5","4.4","4.3","4.2","4.1","4.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","deprecated":false,"source":"https://github.com/curl/curl.git/commit/8a75dbeb2305297640453029b7905ef51b87e8dd","signature_type":"Line","target":{"file":"lib/cookie.c"},"id":"CURL-CVE-2014-3613-5c676ce8","digest":{"line_hashes":["48193140629594431961875792031979462971","40419595071063717580931625294846787860","31682766023644712692130480703583537515","170167534271166974692568355546885894499","72173484161231704427142728961887690991","197047260849961767404656204498329177842","202678825273316558750175825341020945557","277884015258461480236923990841319895242","141568499986626478202096199602469631037","265940049643460730329648436512124526366","26402600947135723464976580537702714382","133222860501163109447158108768545328909","238855233499316732008522225955227054287","5638455431410816103632823919831047387","309957372187837764643166812941162224256","253458811030188037044318997656325988192","59154469685219647925514910459337446871","218446293365496260693834068905905343243","279982505028885494557139546631320845775","248948980280895811024115301507668129176","281591720421980521664259365019858241582","332684196836659833893860218883490285398","251068276089663781672713207410904755820","182522399406296232508458988287765565438","28053063312788629979392865904565350827","245398011550918321352102276697411939535","265397182669783705130062021863830773110","129551746534864730256284487760850085281","97820455966816185945919434866359887110","231344647758062091723637762326555005453","330317555217916535550921207273417263461","149112304550406957337157493312388702730","2250289874304725603871973103345162673","53434452533081147797792591692988882996","38875066176780837954280691185498668036"],"threshold":0.9}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/curl/curl.git/commit/8a75dbeb2305297640453029b7905ef51b87e8dd","signature_type":"Function","target":{"file":"lib/cookie.c","function":"Curl_cookie_add"},"id":"CURL-CVE-2014-3613-651f9dd7","digest":{"function_hash":"91415325935001711939253233838429427598","length":7169}},{"signature_version":"v1","deprecated":false,"source":"https://github.com/curl/curl.git/commit/8a75dbeb2305297640453029b7905ef51b87e8dd","signature_type":"Function","target":{"file":"lib/cookie.c","function":"Curl_cookie_getlist"},"id":"CURL-CVE-2014-3613-8844e795","digest":{"function_hash":"216881365294408849904332636230527122357","length":1289}}],"source":"https://curl.se/docs/CURL-CVE-2014-3613.json"}}],"schema_version":"1.7.3","credits":[{"name":"Tim Ruehsen","type":"FINDER"},{"name":"Tim Ruehsen","type":"REMEDIATION_DEVELOPER"}]}