curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apple
Published: 2014-02-27T01:00:00
Updated: 2024-08-06T09:34:41.196Z
Reserved: 2014-01-08T00:00:00
Link: CVE-2014-1263
Vulnrichment
No data.
NVD
Status : Modified
Published: 2014-02-27T01:55:04.070
Modified: 2014-05-05T05:32:35.670
Link: CVE-2014-1263
Redhat
No data.