CVE-2013-6422 — Improper Input Validation in Libcurl

CWE-20 — Improper Input Validation8 documents8 sources

Severity

4.0MEDIUMNVD

EPSS

0.3%

top 51.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Canonical Ubuntu Linux Debian Linux +1 more

Timeline

PublishedDec 23

Latest updateMay 17

Description

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

CVSS vector

AV:N/AC:H/C:P/I:P/A:NExploitability: 4.9 | Impact: 4.9

Affected Packages2 packages

▶NVDhaxx/libcurl18 versions+17

▶Debianhaxx/curl< 7.34.0-1+3

Also affects: Debian Linux 7.0, Ubuntu Linux 12.04, 12.10, 13.04, 13.10

🔴Vulnerability Details

GHSA

GHSA-fw5f-w62r-p5ww: The GnuTLS backend in libcurl 7↗2022-05-17

▶

CVEList

CVE-2013-6422: The GnuTLS backend in libcurl 7↗2013-12-23

▶

OSV

CVE-2013-6422: The GnuTLS backend in libcurl 7↗2013-12-23

▶

📋Vendor Advisories

Ubuntu

curl vulnerability↗2013-12-18

▶

Red Hat

curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS↗2013-12-17

▶

Debian

CVE-2013-6422: curl - The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital sign...↗2013

▶

💬Community

Bugzilla

CVE-2013-6422 curl: TLS/SSL certificate name check disabled with peer verification when using GnuTLS↗2013-12-04

▶