CVE-2013-2037

2014-01-1821:55:03

CWE-20

[email protected]

web.nvd.nist.gov

cve-2013-2037

ssl server spoofing

httplib2

x.509 certificate

nvd

man-in-the-middle attack

2.6 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

6.3 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

53.1%

JSON

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Affected configurations

NVD

Node

canonicalubuntu_linuxMatch10.04lts

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch12.10

canonicalubuntu_linuxMatch13.04

Node

httplib2_projecthttplib2Range≤0.7.2

httplib2_projecthttplib2Match0.8

CPENameOperatorVersion
canonical:ubuntu_linuxcanonical ubuntu linuxeq10.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq13.04

CPE	Name	Operator	Version
canonical:ubuntu_linux	canonical ubuntu linux	eq	10.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	13.04