CVE-2014-3613 | Vulnerability Database | Aqua Security

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

Affected Software

Name	Vendor	Start Version	End Version
Curl	Haxx	*	7.37.1 (including)
Curl	Haxx	7.31.0 (including)	7.31.0 (including)
Curl	Haxx	7.32.0 (including)	7.32.0 (including)
Curl	Haxx	7.33.0 (including)	7.33.0 (including)
Curl	Haxx	7.34.0 (including)	7.34.0 (including)
Curl	Haxx	7.35.0 (including)	7.35.0 (including)
Curl	Haxx	7.36.0 (including)	7.36.0 (including)
Curl	Haxx	7.37.0 (including)	7.37.0 (including)
Red Hat Enterprise Linux 6	RedHat	curl-0:7.19.7-46.el6	*
Red Hat Enterprise Linux 7	RedHat	curl-0:7.29.0-25.el7	*
Curl	Ubuntu	devel	*
Curl	Ubuntu	lucid	*
Curl	Ubuntu	precise	*
Curl	Ubuntu	trusty	*
Curl	Ubuntu	upstream	*

References

http://curl.haxx.se/docs/adv_20140910A.html
http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10743
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00024.html
http://rhn.redhat.com/errata/RHSA-2015-1254.html
http://www.debian.org/security/2014/dsa-3022
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/bid/69748
https://support.apple.com/kb/HT205031

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-3613
CWE	https://cwe.mitre.org/data/definitions/310.html