{
  "threat_severity" : "Moderate",
  "public_date" : "2015-01-08T00:00:00Z",
  "bugzilla" : {
    "description" : "curl: URL request injection vulnerability in parseurlandfillconn()",
    "id" : "1178692",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1178692"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-113",
  "details" : [ "CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.", "It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests." ],
  "statement" : "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.",
  "acknowledgement" : "Red Hat would like to thank cURL project for reporting this issue. Upstream acknowledges Andrey Labunets (Facebook) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-07-20T00:00:00Z",
    "advisory" : "RHSA-2015:1254",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "curl-0:7.19.7-46.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-11-19T00:00:00Z",
    "advisory" : "RHSA-2015:2159",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "curl-0:7.29.0-25.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 4",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "curl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Will not fix",
    "package_name" : "mingw-virt-viewer",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-8150\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8150\nhttp://curl.haxx.se/docs/adv_20150108B.html" ],
  "name" : "CVE-2014-8150",
  "csaw" : false
}