CVE-2013-4545

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://curl.haxx.se/docs/adv_20131115.html	Vendor Advisory
http://www.debian.org/security/2013/dsa-2798
http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html
http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html
http://www.ubuntu.com/usn/USN-2048-1
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:haxx:curl:7.32.0:::::::*
	cpe:2.3:a:haxx:curl:7.18.2:::::::*
	cpe:2.3:a:haxx:curl:7.18.1:::::::*
	cpe:2.3:a:haxx:curl:7.19.5:::::::*
	cpe:2.3:a:haxx:curl:7.19.2:::::::*
	cpe:2.3:a:haxx:curl:7.21.5:::::::*
	cpe:2.3:a:haxx:curl:7.21.2:::::::*
	cpe:2.3:a:haxx:curl:7.25.0:::::::*
	cpe:2.3:a:haxx:curl:7.26.0:::::::*
	cpe:2.3:a:haxx:curl:7.19.0:::::::*
	cpe:2.3:a:haxx:curl:7.19.6:::::::*
	cpe:2.3:a:haxx:curl:7.21.3:::::::*
	cpe:2.3:a:haxx:curl:7.24.0:::::::*
	cpe:2.3:a:haxx:curl:7.18.0:::::::*
	cpe:2.3:a:haxx:curl:7.21.1:::::::*
	cpe:2.3:a:haxx:curl:7.19.1:::::::*
	cpe:2.3:a:haxx:curl:7.29.0:::::::*
	cpe:2.3:a:haxx:curl:7.22.0:::::::*
	cpe:2.3:a:haxx:curl:7.20.0:::::::*
	cpe:2.3:a:haxx:curl:7.20.1:::::::*
	cpe:2.3:a:haxx:curl:7.19.7:::::::*
	cpe:2.3:a:haxx:curl:7.19.3:::::::*
	cpe:2.3:a:haxx:curl:7.23.1:::::::*
	cpe:2.3:a:haxx:curl:7.21.6:::::::*
	cpe:2.3:a:haxx:curl:7.30.0:::::::*
	cpe:2.3:a:haxx:curl:7.27.0:::::::*
	cpe:2.3:a:haxx:curl:7.19.4:::::::*
	cpe:2.3:a:haxx:curl:7.31.0:::::::*
	cpe:2.3:a:haxx:curl:7.21.0:::::::*
	cpe:2.3:a:haxx:curl:7.28.0:::::::*
	cpe:2.3:a:haxx:curl:7.23.0:::::::*
	cpe:2.3:a:haxx:curl:7.21.4:::::::*
	cpe:2.3:a:haxx:curl:7.21.7:::::::*
	cpe:2.3:a:haxx:curl:7.28.1:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:haxx:libcurl:7.31.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.32.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.3:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.4:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.2:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.3:::::::*
	cpe:2.3:a:haxx:libcurl:7.23.1:::::::*
	cpe:2.3:a:haxx:libcurl:7.24.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.30.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.18.2:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.6:::::::*
	cpe:2.3:a:haxx:libcurl:7.25.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.18.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.23.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.1:::::::*
	cpe:2.3:a:haxx:libcurl:7.22.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.20.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.28.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.5:::::::*
	cpe:2.3:a:haxx:libcurl:7.27.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.7:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.6:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.5:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.7:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.1:::::::*
	cpe:2.3:a:haxx:libcurl:7.20.1:::::::*
	cpe:2.3:a:haxx:libcurl:7.29.0:::::::*
	cpe:2.3:a:haxx:libcurl:7.18.1:::::::*
	cpe:2.3:a:haxx:libcurl:7.28.1:::::::*
	cpe:2.3:a:haxx:libcurl:7.21.4:::::::*
	cpe:2.3:a:haxx:libcurl:7.19.2:::::::*
	cpe:2.3:a:haxx:libcurl:7.26.0:::::::*

Information

Published : 2013-11-23 03:55

Updated : 2016-06-16 18:59

NVD link : CVE-2013-4545

Mitre link : CVE-2013-4545

JSON object : View

CWE

CWE-310

Cryptographic Issues

Products Affected

haxx

curl
libcurl

4.3 /10