CVE-2013-6422
Ubuntu Security Notice USN-2058-1
Severity Score
9.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
El backend de GnuTLS en libcurl 7.21.4 a 7.33.0, cuando se desactiva la verificación de firmas digitales (CURLOPT_SSL_VERIFYPEER), también desactiva la comprobación CURLOPT_SSL_VERIFYHOST para nombres de host CN o SAN, lo cual facilita a atacantes remotos la suplantación de servidores y la ejecución de ataques man-in-the-middle (MITM).
Marc Deslauriers discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled in the GnuTLS backend. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-11-04 CVE Reserved
- 2013-12-19 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html | X_refsource_confirm |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://curl.haxx.se/docs/adv_20131217.html | 2016-04-07 | |
| http://www.debian.org/security/2013/dsa-2824 | 2016-04-07 | |
| http://www.ubuntu.com/usn/USN-2058-1 | 2016-04-07 | |
| https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322 | 2016-04-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 13.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.04" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 13.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.10" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.21.4 Search vendor "Haxx" for product "Libcurl" and version "7.21.4" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.21.5 Search vendor "Haxx" for product "Libcurl" and version "7.21.5" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.21.6 Search vendor "Haxx" for product "Libcurl" and version "7.21.6" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.21.7 Search vendor "Haxx" for product "Libcurl" and version "7.21.7" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.22.0 Search vendor "Haxx" for product "Libcurl" and version "7.22.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.23.0 Search vendor "Haxx" for product "Libcurl" and version "7.23.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.23.1 Search vendor "Haxx" for product "Libcurl" and version "7.23.1" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.24.0 Search vendor "Haxx" for product "Libcurl" and version "7.24.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.25.0 Search vendor "Haxx" for product "Libcurl" and version "7.25.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.26.0 Search vendor "Haxx" for product "Libcurl" and version "7.26.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.27.0 Search vendor "Haxx" for product "Libcurl" and version "7.27.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.28.0 Search vendor "Haxx" for product "Libcurl" and version "7.28.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.28.1 Search vendor "Haxx" for product "Libcurl" and version "7.28.1" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.29.0 Search vendor "Haxx" for product "Libcurl" and version "7.29.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.30.0 Search vendor "Haxx" for product "Libcurl" and version "7.30.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.31.0 Search vendor "Haxx" for product "Libcurl" and version "7.31.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.32.0 Search vendor "Haxx" for product "Libcurl" and version "7.32.0" | - |
Affected
| ||||||
| Haxx Search vendor "Haxx" | Libcurl Search vendor "Haxx" for product "Libcurl" | 7.33.0 Search vendor "Haxx" for product "Libcurl" and version "7.33.0" | - |
Affected
| ||||||