CVE-2014-0015
CVE-2014-0015 is a medium-severity vulnerability in Haxx Libcurl with a CVSS 2.0 base score of 4.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Medium (CVSS 2.0 base score 4.0)
- EPSS exploit prediction: 6% (92nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-287
- Affected product: Haxx Libcurl
- Published:
- Last modified:
Description
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
Frequently asked questions
- What is CVE-2014-0015?
- cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
- How severe is CVE-2014-0015?
- CVE-2014-0015 has a CVSS 2.0 base score of 4.0, rated medium severity.
- Is CVE-2014-0015 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 6% (92nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2014-0015?
- CVE-2014-0015 primarily affects Haxx Libcurl. In total, 128 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2014-0015?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2014-0015 published?
- CVE-2014-0015 was published on 2014-02-02 and last updated on 2026-06-17.
References
- http://archives.neohapsis.com/archives/bugtraq/2014-06/0172.html
- http://curl.haxx.se/docs/adv_20140129.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743
- http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127627.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-February/128408.html
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00066.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://secunia.com/advisories/56728
- http://secunia.com/advisories/56731
- http://secunia.com/advisories/56734
- http://secunia.com/advisories/56912
- http://secunia.com/advisories/59458
- http://secunia.com/advisories/59475
- http://support.apple.com/kb/HT6296
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095862
- http://www.debian.org/security/2014/dsa-2849
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/65270
- http://www.securitytracker.com/id/1029710
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.502652
- http://www.ubuntu.com/usn/USN-2097-1
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
Affected products (128)
- cpe:2.3:a:haxx:libcurl:7.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.15.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.16.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*
More vulnerabilities in Haxx Libcurl
- CVE-2023-38545 — Critical (CVSS 9.8): This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the…
- CVE-2019-3822 — Critical (CVSS 9.8): libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an…
- CVE-2017-8818 — Critical (CVSS 9.8): curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to cause a denial of service (out-of-bounds access…
- CVE-2017-8817 — Critical (CVSS 9.8): The FTP wildcard function in curl and libcurl before 7.57.0 allows remote attackers to cause a denial of service…
- CVE-2017-8816 — Critical (CVSS 9.8): The NTLM authentication feature in curl and libcurl before 7.57.0 on 32-bit platforms allows attackers to cause a…
- CVE-2016-7167 — Critical (CVSS 9.8): Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape…
All CVEs affecting Haxx Libcurl →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →