CVE-2013-6422

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Published: Dec 23, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-6422
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:H/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
debian / debian_linux	7.0	7.0.x
canonical / ubuntu_linux	13.04	13.04.x
canonical / ubuntu_linux	13.10	13.10.x
canonical / ubuntu_linux	12.10	12.10.x
canonical / ubuntu_linux	12.04	12.04.x
haxx / libcurl	7.30.0	7.30.0.x
haxx / libcurl	7.25.0	7.25.0.x
haxx / libcurl	7.33.0	7.33.0.x
haxx / libcurl	7.23.0	7.23.0.x
haxx / libcurl	7.26.0	7.26.0.x
haxx / libcurl	7.31.0	7.31.0.x
haxx / libcurl	7.22.0	7.22.0.x
haxx / libcurl	7.28.0	7.28.0.x
haxx / libcurl	7.21.5	7.21.5.x
haxx / libcurl	7.24.0	7.24.0.x
haxx / libcurl	7.27.0	7.27.0.x
haxx / libcurl	7.23.1	7.23.1.x
haxx / libcurl	7.21.6	7.21.6.x
haxx / libcurl	7.21.7	7.21.7.x
haxx / libcurl	7.32.0	7.32.0.x
haxx / libcurl	7.29.0	7.29.0.x
haxx / libcurl	7.28.1	7.28.1.x
haxx / libcurl	7.21.4	7.21.4.x

Vulnerability Database

289,599

CVE-2013-6422