CVE-2013-4545

Name of the Vulnerable Software and Affected Versions cURL and libcurl versions 7.18.0 through 7.32.0

Description The issue arises when cURL and libcurl, built with OpenSSL, have the digital signature verification disabled, which in turn disables the verification of the certificate CN and SAN name fields. This allows man-in-the-middle attackers to spoof SSL servers using any valid certificate. libcurl has two independent options for verifying a server's TLS certificate: CURLOPT SSL VERIFYPEER for verifying the trust chain, and CURLOPT SSL VERIFYHOST for checking the name fields in the server certificate. When CURLOPT SSL VERIFYPEER is disabled, libcurl mistakenly also disables the CURLOPT SSL VERIFYHOST check, even though applications can still achieve security by doing the check on their own using other means.

Recommendations For versions 7.18.0 through 7.32.0, as a temporary workaround, consider enabling CURLOPT SSL VERIFYPEER to ensure both trust chain verification and name field checks are performed, or manually verify the certificate name fields using other means when CURLOPT SSL VERIFYPEER is disabled.