CVE-2013-6422
Last modified
CVE-2013-6422 is a vulnerability of currently unknown severity. The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.. EPSS estimates a 2.76% chance of exploitation in the next 30 days.
Description
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Canonical | Ubuntu Linux | 12.04 |
| Canonical | Ubuntu Linux | 12.10 |
| Canonical | Ubuntu Linux | 13.04 |
| Canonical | Ubuntu Linux | 13.10 |
| Haxx | Libcurl | 7.21.4 |
| Haxx | Libcurl | 7.21.5 |
| Haxx | Libcurl | 7.21.6 |
| Haxx | Libcurl | 7.21.7 |
| Haxx | Libcurl | 7.22.0 |
| Haxx | Libcurl | 7.23.0 |
| Haxx | Libcurl | 7.23.1 |
| Haxx | Libcurl | 7.24.0 |
| Haxx | Libcurl | 7.25.0 |
| Haxx | Libcurl | 7.26.0 |
| Haxx | Libcurl | 7.27.0 |
| Haxx | Libcurl | 7.28.0 |
| Haxx | Libcurl | 7.28.1 |
| Haxx | Libcurl | 7.29.0 |
| Haxx | Libcurl | 7.30.0 |
| Haxx | Libcurl | 7.31.0 |
| Haxx | Libcurl | 7.32.0 |
| Haxx | Libcurl | 7.33.0 |
References
- http://curl.haxx.se/docs/adv_20131217.htmlVendor Advisory
- http://curl.haxx.se/docs/adv_20131217.htmlVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-6422?
How severe is CVE-2013-6422?
How do I fix CVE-2013-6422?
Are you affected by CVE-2013-6422?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST