← Back

CVE-2013-6422

nvd nist
Published: Dec 23, 2013Modified: Apr 29, 2026

JSON object

Loading...
4.0
Vector
AV:N/AC:H/Au:N/C:P/I:P/A:N
Exploitability: 4.9 / Impact: 4.9
Source: NVD

Description

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Affected (23)

Debian
1 product
Debian Linux
Canonical
1 product
Ubuntu Linux
Haxx
1 product
Libcurl
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 7.0
Configuration B
4 vulnerable
Vulnerable SoftwareAffected Versions
Canonical
Ubuntu Linux
Version 12.04
Ubuntu Linux
Version 12.10
Ubuntu Linux
Version 13.04
Ubuntu Linux
Version 13.10
Configuration C
18 vulnerable
Vulnerable SoftwareAffected Versions
Haxx
Libcurl
Version 7.21.4
Libcurl
Version 7.21.5
Libcurl
Version 7.21.6
Libcurl
Version 7.21.7
Libcurl
Version 7.22.0
Libcurl
Version 7.23.0
Libcurl
Version 7.23.1
Libcurl
Version 7.24.0
Libcurl
Version 7.25.0
Libcurl
Version 7.26.0
Libcurl
Version 7.27.0
Libcurl
Version 7.28.0
Libcurl
Version 7.28.1
Libcurl
Version 7.29.0
Libcurl
Version 7.30.0
Libcurl
Version 7.31.0
Libcurl
Version 7.32.0
Libcurl
Version 7.33.0

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (10)

Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: secalert@redhat.com
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.