Описание
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 7.33.0-1ubuntu1 |
| lucid | released | 7.19.7-1ubuntu1.4 |
| precise | released | 7.22.0-3ubuntu4.4 |
| quantal | released | 7.27.0-1ubuntu1.5 |
| raring | released | 7.29.0-1ubuntu3.3 |
| saucy | released | 7.32.0-1ubuntu1.1 |
| upstream | released | 7.33.0-1 |
Показывать по
4.3 Medium
CVSS2
Связанные уязвимости
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disab ...
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
4.3 Medium
CVSS2