Home

CVE-2014-8151

Description

The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
EPSS Score
Exploitation Probability
0.424

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in Curl For Windows 7.31.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.32.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.33.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.34.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.35.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.36.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.37.0Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.37.1Windows
Multiple Vulnerabilities are affected in Curl For Windows 7.38.0Windows
Vulnerabilities CVE-2014-8150,CVE-2014-8151,CVE-2017-1000100,CVE-2017-1000254 are affected in Curl For Windows 7.39Windows
Vulnerabilities CVE-2014-8151,CVE-2014-8150 are fixed in Curl For Windows 7.40.0Windows
Multiple vulnerabilities are fixed in OS X Yosemite 10.10.5 UpdateMac
Multiple vulnerabilities are fixed in OS X Yosemite 10.10.5 Combo UpdateMac
CVE-2014-8151NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-600354OS X Yosemite 10.10.5 Update
PATCH-600458OS X Yosemite 10.10.5 Combo Update

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234