CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
59.2%
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables
the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST)
when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is
disabled, which allows man-in-the-middle attackers to spoof SSL servers via
an arbitrary valid certificate.
Author | Note |
---|---|
mdeslaur | GnuTLS backend also appears to be affected. Sent mail to curl-library list. |
curl.haxx.se/docs/adv_20131115.html
curl.haxx.se/mail/lib-2013-10/0002.html
www.debian.org/security/2013/dsa-2798
launchpad.net/bugs/cve/CVE-2013-4545
nvd.nist.gov/vuln/detail/CVE-2013-4545
security-tracker.debian.org/tracker/CVE-2013-4545
ubuntu.com/security/notices/USN-2048-1
www.cve.org/CVERecord?id=CVE-2013-4545