CVE-2013-6422: The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the…

CVE-2013-6422 [MEDIUM] CWE-20 GHSA-fw5f-w62r-p5ww: The GnuTLS backend in libcurl 7 The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

CVE-2013-6422 [MEDIUM] CVE-2013-6422: The GnuTLS backend in libcurl 7 The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

CVE-2013-6422 curl vulnerability Title: curl vulnerability Summary: Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet. Marc Deslauriers discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled in the GnuTLS backend. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a machine-in-the-middle attack to view sensitive information or alter encrypted communications. Instructions: In general, a standard system update will make all the necessary changes.

CVE-2013-6422 [MEDIUM] curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. Statement: Not vulnerable. This issue did not affect the versions of curl as shipped with Red Hat Enterprise Linux 5 and 6. Package: curl (Red Hat Enterprise Linux 5) - Not affected Package: curl (Red Hat Enterprise Linux 6) - Not affected Package: curl (Red Hat Enterprise Linux 7) - Not affected

CVE-2013-6422 [MEDIUM] CVE-2013-6422: curl - The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital sign... The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. Scope: local bookworm: resolved (fixed in 7.34.0-1) bullseye: resolved (fixed in 7.34.0-1) forky: resolved (fixed in 7.34.0-1) sid: resolved (fixed in 7.34.0-1) trixie: resolved (fixed in 7.34.0-1)

CVE-2013-6422 [MEDIUM] CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS Curl upstream reported an issue (similar to CVE-2013-4545) related to the verification of the connection host name against the server name specified in a TLS/SSL server certificate. When libcurl was built using GnuTLS as TLS/SSL library, setting CURLOPT_SSL_VERIFYPEER option to 0 (i.e. disabling verification that the certificate is valid and was issued by a trusted certificate authority) also disabled server name checks regardless of the value of the CURLOPT_SSL_VERIFYHOST option. This caused libcurl to skip name checks while an application using the library could expect it to be performed. Note: Only enabling VERIFYHOST while disabling VERIFYPEER is insecure unless the application perfor