CVE-2013-4545

EPSS 0.36%

curl - unchecked ssl certificate host name

Published: 11/23/2013Modified: 4/28/2026

Also known as:DEBIAN-CVE-2013-4545

Description

cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected packages (2)

Debian/curlfrom 0, < 7.33.0-1
Debian/curlfrom 0, < 7.21.0-2.1+squeeze5

References (1)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-4545