cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2013-11-23T11:00:00
Updated: 2024-08-06T16:45:14.830Z
Reserved: 2013-06-12T00:00:00
Link: CVE-2013-4545
Vulnrichment
No data.
NVD
Status : Modified
Published: 2013-11-23T11:55:04.740
Modified: 2016-06-17T01:59:31.977
Link: CVE-2013-4545
Redhat