what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 5 of 5 RSS Feed

CVE-2013-4545

Status Candidate

Overview

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Related Files

HP Security Bulletin HPSBMU03112
Posted Oct 1, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03112 - Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), unauthorized disclosure of information, Denial of Service (DoS), and Clickjacking. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability, xss, csrf
systems | linux, windows
advisories | CVE-2013-4545, CVE-2013-6420, CVE-2013-6422, CVE-2013-6712, CVE-2014-2640, CVE-2014-2641, CVE-2014-2642
SHA-256 | c7ee397bfe22743f1104826923b5ce2ee2bca83ffb77b9abc0126c7de3855248
Ubuntu Security Notice USN-2048-1
Posted Dec 6, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2048-1 - Scott Cantor discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2013-4545
SHA-256 | c20f5794bb126d61a57266741ccbe80c44ddbf98c011ace3654bedddefc949e5
Mandriva Linux Security Advisory 2013-276
Posted Nov 21, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-276 - Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.

tags | advisory
systems | linux, mandriva
advisories | CVE-2013-4545
SHA-256 | 2c78af201db1bef05c4d5d012d53ff1328f14122e461d40a5c38c8ccb71ff218
Debian Security Advisory 2798-2
Posted Nov 21, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2798-2 - The update for curl in DSA-2798-1 uncovered a regression affecting the curl command line tool behaviour (#729965). This update disables host verification too when using the --insecure option.

tags | advisory
systems | linux, debian
advisories | CVE-2013-4545
SHA-256 | ce1a6610897ebeb0ecc8600b5d5a1134408350f1241fe3beff51b07c1ce9e564
Debian Security Advisory 2798-1
Posted Nov 18, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2798-1 - Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.

tags | advisory
systems | linux, debian
advisories | CVE-2013-4545
SHA-256 | 9363b2d66b1be8b2c64a2ee99bfb751ea42ee87086b3cd18e8fcae0ba052400f
Page 1 of 1
Back1Next

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close