{
  "threat_severity" : "Moderate",
  "public_date" : "2014-09-10T00:00:00Z",
  "bugzilla" : {
    "description" : "curl: incorrect handling of IP addresses in cookie domain",
    "id" : "1136154",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1136154"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-284",
  "details" : [ "cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.", "It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit." ],
  "statement" : "This issue affects the versions of curl as shipped with Red Hat Enterprise Linux 5 and is not planned to be corrected in future updates.\nInktank Ceph Enterprise 1.1 and 1.2 receives only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Inktank Ceph Enterprise Support Matrix:\nhttp://www.inktank.com/enterprise/support/",
  "acknowledgement" : "Red Hat would like to thank cURL project for reporting this issue. Upstream acknowledges Tim Ruehsen as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-07-20T00:00:00Z",
    "advisory" : "RHSA-2015:1254",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "curl-0:7.19.7-46.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-11-19T00:00:00Z",
    "advisory" : "RHSA-2015:2159",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "curl-0:7.29.0-25.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Affected",
    "package_name" : "mingw-virt-viewer",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3613\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3613\nhttp://curl.haxx.se/docs/adv_20140910A.html" ],
  "name" : "CVE-2014-3613",
  "csaw" : false
}