curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2014-04-18T19:00:00
Updated: 2017-04-28T18:57:02
Reserved: 2014-03-17T00:00:00
Link: CVE-2014-2522
JSON object: View
NVD Information
Status : Modified
Published: 2014-04-18T22:14:38.587
Modified: 2017-04-29T01:59:01.413
Link: CVE-2014-2522
JSON object: View
Redhat Information
No data.
CWE