cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2013-11-23T11:00:00
Updated: 2016-06-15T19:57:01
Reserved: 2013-06-12T00:00:00
Link: CVE-2013-4545
JSON object: View
NVD Information
Status : Modified
Published: 2013-11-23T11:55:04.740
Modified: 2016-06-17T01:59:31.977
Link: CVE-2013-4545
JSON object: View
Redhat Information
No data.
CWE