CVE-2013-4545
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published at
2013-11-23T11:55Z
3809 days ago
Modified
2016-06-17T01:59Z
2873 days ago
CWE-310
Problem type
References
| URL | Type |
|---|---|
| curl.haxx.se http://curl.haxx.se/docs/adv_20131115.html | CONFIRM |
| DSA-2798 http://www.debian.org/security/2013/dsa-2798 | DEBIAN |
| openSUSE-SU-2013:1865 http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html | SUSE |
| openSUSE-SU-2013:1859 http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html | SUSE |
| USN-2048-1 http://www.ubuntu.com/usn/USN-2048-1 | UBUNTU |
| www.oracle.com http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html | CONFIRM |
| www.oracle.com http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html | CONFIRM |
| HPSBMU03112 https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322 | HP |
| www.oracle.com http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html | CONFIRM |
GET https://vulnerabilitydata.com/api/details/CVE-2013-4545
{
"id": "CVE-2013-4545",
"published_date": "2013-11-23T11:55Z",
"last_modified_date": "2016-06-17T01:59Z",
"assigner": "secalert@redhat.com",
"description": "cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"references": [
{
"url": "http://curl.haxx.se/docs/adv_20131115.html",
"name": "http://curl.haxx.se/docs/adv_20131115.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
]
},
{
"url": "http://www.debian.org/security/2013/dsa-2798",
"name": "DSA-2798",
"refsource": "DEBIAN",
"tags": []
},
{
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html",
"name": "openSUSE-SU-2013:1865",
"refsource": "SUSE",
"tags": []
},
{
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html",
"name": "openSUSE-SU-2013:1859",
"refsource": "SUSE",
"tags": []
},
{
"url": "http://www.ubuntu.com/usn/USN-2048-1",
"name": "USN-2048-1",
"refsource": "UBUNTU",
"tags": []
},
{
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
"name": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html",
"refsource": "CONFIRM",
"tags": []
},
{
"url": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html",
"name": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html",
"refsource": "CONFIRM",
"tags": []
},
{
"url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322",
"name": "HPSBMU03112",
"refsource": "HP",
"tags": []
},
{
"url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html",
"name": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html",
"refsource": "CONFIRM",
"tags": []
}
],
"impact": {
"baseMetricV2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"accessVector": "NETWORK",
"accessComplexity": "MEDIUM",
"authentication": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"availabilityImpact": "NONE",
"baseScore": 4.3
},
"severity": "MEDIUM",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
},
"problem_type": "CWE-310"
}