CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
EPSS
Percentile
69.4%
curl and libcurl 7.27.0 through 7.35.0, when running on Windows and using
the SChannel/Winssl TLS backend, does not verify that the server hostname
matches a domain name in the subject’s Common Name (CN) or subjectAltName
field of the X.509 certificate when accessing a URL that uses a numerical
IP address, which allows man-in-the-middle attackers to spoof servers via
an arbitrary valid certificate.
Author | Note |
---|---|
mdeslaur | windows-specific |