CVE-2013-4545
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
- Published date
- 2013-11-23T11:55Z
- Last modification date
- 2016-06-17T01:59Z
- Assigner
- secalert@redhat.com
- Problem type
- CWE-310
| Name | URL | Source | Tags |
|---|---|---|---|
| http://curl.haxx.se/docs/adv_20131115.html | http://curl.haxx.se/docs/adv_20131115.html | CONFIRM | Vendor Advisory |
| DSA-2798 | http://www.debian.org/security/2013/dsa-2798 | DEBIAN | |
| openSUSE-SU-2013:1865 | http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html | SUSE | |
| openSUSE-SU-2013:1859 | http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html | SUSE | |
| USN-2048-1 | http://www.ubuntu.com/usn/USN-2048-1 | UBUNTU | |
| http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html | http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html | CONFIRM | |
| http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html | http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html | CONFIRM | |
| HPSBMU03112 | https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322 | HP | |
| http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html | http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html | CONFIRM |