fkie_nvd - fkie_cve-2013-6422

fkie_cve-2013-6422

Vulnerability from fkie_nvd

Published

2013-12-23 22:55

Modified

2025-04-11 00:51

Severity ?

Summary

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

References

URL	Tags
secalert@redhat.com	http://curl.haxx.se/docs/adv_20131217.html	Vendor Advisory
secalert@redhat.com	http://www.debian.org/security/2013/dsa-2824
secalert@redhat.com	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
secalert@redhat.com	http://www.ubuntu.com/usn/USN-2058-1
secalert@redhat.com	https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322
af854a3a-2127-422b-91ae-364da2661108	http://curl.haxx.se/docs/adv_20131217.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2013/dsa-2824
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2058-1
af854a3a-2127-422b-91ae-364da2661108	https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322

Impacted products

Vendor	Product	Version
debian	debian_linux	7.0
canonical	ubuntu_linux	12.04
canonical	ubuntu_linux	12.10
canonical	ubuntu_linux	13.04
canonical	ubuntu_linux	13.10
haxx	libcurl	7.21.4
haxx	libcurl	7.21.5
haxx	libcurl	7.21.6
haxx	libcurl	7.21.7
haxx	libcurl	7.22.0
haxx	libcurl	7.23.0
haxx	libcurl	7.23.1
haxx	libcurl	7.24.0
haxx	libcurl	7.25.0
haxx	libcurl	7.26.0
haxx	libcurl	7.27.0
haxx	libcurl	7.28.0
haxx	libcurl	7.28.1
haxx	libcurl	7.29.0
haxx	libcurl	7.30.0
haxx	libcurl	7.31.0
haxx	libcurl	7.32.0
haxx	libcurl	7.33.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*",
              "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F61F047-129C-41A6-8A27-FFCBB8563E91",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EAE25A0-3828-46F1-AB30-88732CBC9F38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "1533A85C-2160-445D-8787-E624AEDC5A0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D87B9393-7EA4-43DA-900C-7E840AE2D4C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "7D1249E9-304F-4952-8DAB-8B79CE5E7D54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "83FAF953-6A65-4FAB-BDB5-03B468CD1C9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "29F8FF1F-A639-4161-9366-62528AAF4C07",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "812AB429-379A-4EDE-9664-5BC2989053F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "13DD791F-C4BD-4456-955A-92E84082AA09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A17E442-45AA-4780-98B4-9BF764DCC1C5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6AF544C-5F16-4434-B9FB-93B1B7318950",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CBFD9ED9-2412-44AE-9C55-0ED03A121B23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "67CCE31B-ABDA-4F32-BAF1-B1AD0664B3E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E66A332-ECD1-4452-B444-FB629022FDF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDD3D599-35E9-4590-B5E0-3AF04D344695",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3B6BFFB-7967-482C-9B49-4BD25C815299",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1791BF6D-2C96-4A6E-90D4-2906A73601F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "260DD751-4145-4B75-B892-5FC932C6A305",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "EFF4AD0D-2EC5-4CE8-B6B3-2EC8ED2FF118",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks."
    },
    {
      "lang": "es",
      "value": "El backend de GnuTLS en libcurl 7.21.4 a 7.33.0, cuando se desactiva la verificaci\u00f3n de firmas digitales (CURLOPT_SSL_VERIFYPEER), tambi\u00e9n desactiva la comprobaci\u00f3n CURLOPT_SSL_VERIFYHOST para nombres de host CN o SAN, lo cual facilita a atacantes remotos la suplantaci\u00f3n de servidores y la ejecuci\u00f3n de ataques man-in-the-middle (MITM)."
    }
  ],
  "id": "CVE-2013-6422",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-12-23T22:55:02.943",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://curl.haxx.se/docs/adv_20131217.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2013/dsa-2824"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.ubuntu.com/usn/USN-2058-1"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://curl.haxx.se/docs/adv_20131217.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2013/dsa-2824"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2058-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2013-6422 (GCVE-0-2013-6422)

Vulnerability from cvelistv5

Published

2013-12-23 22:00