4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
64.7%
The GnuTLS backend in libcurl 7.21.4 through 7.33.0, when disabling digital
signature verification (CURLOPT_SSL_VERIFYPEER), also disables the
CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it
easier for remote attackers to spoof servers and conduct man-in-the-middle
(MITM) attacks.
Author | Note |
---|---|
seth-arnold | Similar to but different from CVE-2013-4545 |