CVE-2013-6422: Input Validation

First published: Mon Dec 23 2013(Updated: )

The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/references
• agent/weakness
• agent/severity
• agent/author
• agent/type
• agent/event
• agent/description
• agent/first-publish-date
• agent/tags
• agent/softwarecombine
• agent/last-modified-date
• collector/mitre-cve
• source/MITRE
• vendor/debian
• canonical/debian debian linux
• version/debian debian linux/7.0
• vendor/canonical
• canonical/canonical ubuntu linux
• version/canonical ubuntu linux/12.04
• version/canonical ubuntu linux/12.10
• version/canonical ubuntu linux/13.04
• version/canonical ubuntu linux/13.10
• vendor/haxx
• canonical/haxx libcurl
• version/haxx libcurl/7.21.4
• version/haxx libcurl/7.21.5
• version/haxx libcurl/7.21.6
• version/haxx libcurl/7.21.7
• version/haxx libcurl/7.22.0
• version/haxx libcurl/7.23.0
• version/haxx libcurl/7.23.1
• version/haxx libcurl/7.24.0
• version/haxx libcurl/7.25.0
• version/haxx libcurl/7.26.0
• version/haxx libcurl/7.27.0
• version/haxx libcurl/7.28.0
• version/haxx libcurl/7.28.1
• version/haxx libcurl/7.29.0
• version/haxx libcurl/7.30.0
• version/haxx libcurl/7.31.0
• version/haxx libcurl/7.32.0
• version/haxx libcurl/7.33.0