Lucene search

K
ubuntucveUbuntu.comUB:CVE-2013-4545
HistoryNov 23, 2013 - 12:00 a.m.

CVE-2013-4545

2013-11-2300:00:00
ubuntu.com
ubuntu.com
21

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

59.2%

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables
the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST)
when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is
disabled, which allows man-in-the-middle attackers to spoof SSL servers via
an arbitrary valid certificate.

Notes

Author Note
mdeslaur GnuTLS backend also appears to be affected. Sent mail to curl-library list.
OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchcurl< 7.19.7-1ubuntu1.4UNKNOWN
ubuntu12.04noarchcurl< 7.22.0-3ubuntu4.4UNKNOWN
ubuntu12.10noarchcurl< 7.27.0-1ubuntu1.5UNKNOWN
ubuntu13.04noarchcurl< 7.29.0-1ubuntu3.3UNKNOWN
ubuntu13.10noarchcurl< 7.32.0-1ubuntu1.1UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

59.2%