CVE-2013-6422
curl - unchecked tls/ssl certificate host name
EPSS 0.25%
Description
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital signature verification (CURLOPT_SSL_VERIFYPEER), also disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.
How to fix CVE-2013-6422
To remediate CVE-2013-6422, upgrade the affected package to a fixed version below.
- Debian/curl—upgrade to 7.34.0-1 or later
- Debian/curl—upgrade to 7.26.0-1+wheezy7 or later
Is CVE-2013-6422 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 7.34.0-1
- from 0, < 7.26.0-1+wheezy7