PT-2014-2531 · Google+1 · Httplib2+1

Kasper Dupont

Published

2013-08-13

Updated

2022-05-14

CVE-2013-2037

CVSS v4.0

6.6

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Name of the Vulnerable Software and Affected Versions httplib2 versions 0.7.2 and earlier httplib2 versions 0.8 and earlier httplib2 versions prior to 0.10.1

Description The issue allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate because, after an initial connection is made, it does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate.

Recommendations For versions 0.7.2 and earlier, update to version 0.10.1 or later. For versions 0.8 and earlier, update to version 0.10.1 or later. For versions prior to 0.10.1, update to version 0.10.1 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2013-2037

GHSA-Q48Q-77QV-CF9P

PYSEC-2014-81

SUSE-SU-2013_1328-1

Affected Products

Suse

Httplib2

PT-2014-2531 · Google+1 · Httplib2+1

CVE-2013-2037

Weakness Enumeration

Related Identifiers

Affected Products

References · 24