NVD Vulnerability Detail

CVE-2013-4545

Summary	cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publication Date	Nov. 23, 2013, 8:55 p.m.
Registration Date	Jan. 26, 2021, 3:43 p.m.
Last Update	Nov. 21, 2024, 10:55 a.m.

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:haxx:curl:7.21.3:::::::*
cpe:2.3:a:haxx:curl:7.24.0:::::::*
cpe:2.3:a:haxx:curl:7.18.0:::::::*
cpe:2.3:a:haxx:curl:7.21.5:::::::*
cpe:2.3:a:haxx:curl:7.21.1:::::::*
cpe:2.3:a:haxx:curl:7.32.0:::::::*
cpe:2.3:a:haxx:curl:7.19.1:::::::*
cpe:2.3:a:haxx:curl:7.19.6:::::::*
cpe:2.3:a:haxx:curl:7.29.0:::::::*
cpe:2.3:a:haxx:curl:7.22.0:::::::*
cpe:2.3:a:haxx:curl:7.20.0:::::::*
cpe:2.3:a:haxx:curl:7.20.1:::::::*
cpe:2.3:a:haxx:curl:7.26.0:::::::*
cpe:2.3:a:haxx:curl:7.19.7:::::::*
cpe:2.3:a:haxx:curl:7.19.3:::::::*
cpe:2.3:a:haxx:curl:7.23.1:::::::*
cpe:2.3:a:haxx:curl:7.25.0:::::::*
cpe:2.3:a:haxx:curl:7.19.0:::::::*
cpe:2.3:a:haxx:curl:7.21.6:::::::*
cpe:2.3:a:haxx:curl:7.30.0:::::::*
cpe:2.3:a:haxx:curl:7.27.0:::::::*
cpe:2.3:a:haxx:curl:7.19.4:::::::*
cpe:2.3:a:haxx:curl:7.21.2:::::::*
cpe:2.3:a:haxx:curl:7.31.0:::::::*
cpe:2.3:a:haxx:curl:7.21.0:::::::*
cpe:2.3:a:haxx:curl:7.28.0:::::::*
cpe:2.3:a:haxx:curl:7.23.0:::::::*
cpe:2.3:a:haxx:curl:7.28.1:::::::*
cpe:2.3:a:haxx:curl:7.18.1:::::::*
cpe:2.3:a:haxx:curl:7.18.2:::::::*
cpe:2.3:a:haxx:curl:7.21.4:::::::*
cpe:2.3:a:haxx:curl:7.19.2:::::::*
cpe:2.3:a:haxx:curl:7.21.7:::::::*
cpe:2.3:a:haxx:curl:7.19.5:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:haxx:libcurl:7.19.0:::::::*
cpe:2.3:a:haxx:libcurl:7.19.6:::::::*
cpe:2.3:a:haxx:libcurl:7.21.2:::::::*
cpe:2.3:a:haxx:libcurl:7.19.4:::::::*
cpe:2.3:a:haxx:libcurl:7.30.0:::::::*
cpe:2.3:a:haxx:libcurl:7.25.0:::::::*
cpe:2.3:a:haxx:libcurl:7.21.3:::::::*
cpe:2.3:a:haxx:libcurl:7.18.0:::::::*
cpe:2.3:a:haxx:libcurl:7.23.0:::::::*
cpe:2.3:a:haxx:libcurl:7.19.1:::::::*
cpe:2.3:a:haxx:libcurl:7.26.0:::::::*
cpe:2.3:a:haxx:libcurl:7.31.0:::::::*
cpe:2.3:a:haxx:libcurl:7.22.0:::::::*
cpe:2.3:a:haxx:libcurl:7.20.0:::::::*
cpe:2.3:a:haxx:libcurl:7.21.0:::::::*
cpe:2.3:a:haxx:libcurl:7.28.0:::::::*
cpe:2.3:a:haxx:libcurl:7.18.2:::::::*
cpe:2.3:a:haxx:libcurl:7.21.5:::::::*
cpe:2.3:a:haxx:libcurl:7.19.3:::::::*
cpe:2.3:a:haxx:libcurl:7.24.0:::::::*
cpe:2.3:a:haxx:libcurl:7.27.0:::::::*
cpe:2.3:a:haxx:libcurl:7.19.7:::::::*
cpe:2.3:a:haxx:libcurl:7.23.1:::::::*
cpe:2.3:a:haxx:libcurl:7.21.6:::::::*
cpe:2.3:a:haxx:libcurl:7.19.5:::::::*
cpe:2.3:a:haxx:libcurl:7.21.7:::::::*
cpe:2.3:a:haxx:libcurl:7.21.1:::::::*
cpe:2.3:a:haxx:libcurl:7.20.1:::::::*
cpe:2.3:a:haxx:libcurl:7.32.0:::::::*
cpe:2.3:a:haxx:libcurl:7.29.0:::::::*
cpe:2.3:a:haxx:libcurl:7.18.1:::::::*
cpe:2.3:a:haxx:libcurl:7.28.1:::::::*
cpe:2.3:a:haxx:libcurl:7.21.4:::::::*
cpe:2.3:a:haxx:libcurl:7.19.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://curl.haxx.se/docs/adv_20131115.html	Vendor Advisory
2	http://curl.haxx.se/docs/adv_20131115.html	Vendor Advisory
3	http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html
4	http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html
5	http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html
6	http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html
7	http://www.debian.org/security/2013/dsa-2798
8	http://www.debian.org/security/2013/dsa-2798
9	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
10	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
11	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
12	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
13	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
14	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
15	http://www.ubuntu.com/usn/USN-2048-1
16	http://www.ubuntu.com/usn/USN-2048-1
17	https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322
18	https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-310	暗号の問題	https://cwe.mitre.org/data/definitions/310.html

JVN Vulnerability Information

cURL および libcurl における SSL サーバになりすまされる脆弱性

Title	cURL および libcurl における SSL サーバになりすまされる脆弱性
Summary	cURL および libcurl は、OpenSSL を使用して構築されている場合、デジタル署名の検証 (CURLOPT_SSL_VERIFYPEER) が無効になっていると、証明書の CN と SAN の名前フィールドの検証 (CURLOPT_SSL_VERIFYPEER) を無効にするため、SSL サーバになりすまされる脆弱性が存在します。
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、任意の有効な証明書を介して、SSL サーバになりすまされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 15, 2013, midnight
Registration Date	Nov. 26, 2013, 3:49 p.m.
Last Update	July 29, 2015, 5:41 p.m.

Affected System

オラクル

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 11.1.3

Oracle Enterprise Manager Grid Control の Enterprise Manager Ops Center 12.1.4

Oracle GlassFish Server 3.0.1

Oracle GlassFish Server 3.1.2

Oracle Hyperion Essbase 11.1.2.3

Oracle Hyperion Essbase 11.1.2.2

Haxx

cURL 7.18.0 から 7.32.0

libcurl 7.18.0 から 7.32.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-4545	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545
National Vulnerability Database (NVD)
2	CVE-2013-4545	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4545
SECURITY BLOG
3	CVE-2013-4545 Cryptographic Issues vulnerability in libcurl	https://blogs.oracle.com/sunsecurity/entry/cve_2013_4545_cryptographic_issues

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-2798	http://www.debian.org/security/2013/dsa-2798
opensuse-updates
2	openSUSE-SU-2013:1859	http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html
3	openSUSE-SU-2013:1865	http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html
Oracle Critical Patch Update
4	Oracle Critical Patch Update Advisory - April 2015	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
5	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
6	Oracle Critical Patch Update Advisory - July 2015	http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
7	Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html
8	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
9	Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html
Security Advisory
10	libcurl cert name check ignore	http://curl.haxx.se/docs/adv_20131115.html
SECURITY BLOG
11	April 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/april_2015_critical_patch_update
12	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
13	July 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
Ubuntu Security Notice
14	USN-2048-1	http://www.ubuntu.com/usn/USN-2048-1

Change Log

No	Changed Details	Date of change
0	[2013年11月26日] 掲載 [2014年01月09日] ベンダ情報：Novell (openSUSE-SU-2013:1859) を追加ベンダ情報：Novell (openSUSE-SU-2013:1865) を追加ベンダ情報：Ubuntu (USN-2048-1) を追加 [2014年05月14日] ベンダ情報：オラクル (CVE-2013-4545 Cryptographic Issues vulnerability in libcurl) を追加 [2015年01月22日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2015年04月20日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - April 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices) を追加ベンダ情報：オラクル (April 2015 Critical Patch Update Released) を追加 [2015年07月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices) を追加ベンダ情報：オラクル (July 2015 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:haxx:curl:7.21.3:::::::*
cpe:2.3:a:haxx:curl:7.24.0:::::::*
cpe:2.3:a:haxx:curl:7.18.0:::::::*
cpe:2.3:a:haxx:curl:7.21.5:::::::*
cpe:2.3:a:haxx:curl:7.21.1:::::::*
cpe:2.3:a:haxx:curl:7.32.0:::::::*
cpe:2.3:a:haxx:curl:7.19.1:::::::*
cpe:2.3:a:haxx:curl:7.19.6:::::::*
cpe:2.3:a:haxx:curl:7.29.0:::::::*
cpe:2.3:a:haxx:curl:7.22.0:::::::*
cpe:2.3:a:haxx:curl:7.20.0:::::::*
cpe:2.3:a:haxx:curl:7.20.1:::::::*
cpe:2.3:a:haxx:curl:7.26.0:::::::*
cpe:2.3:a:haxx:curl:7.19.7:::::::*
cpe:2.3:a:haxx:curl:7.19.3:::::::*
cpe:2.3:a:haxx:curl:7.23.1:::::::*
cpe:2.3:a:haxx:curl:7.25.0:::::::*
cpe:2.3:a:haxx:curl:7.19.0:::::::*
cpe:2.3:a:haxx:curl:7.21.6:::::::*
cpe:2.3:a:haxx:curl:7.30.0:::::::*
cpe:2.3:a:haxx:curl:7.27.0:::::::*
cpe:2.3:a:haxx:curl:7.19.4:::::::*
cpe:2.3:a:haxx:curl:7.21.2:::::::*
cpe:2.3:a:haxx:curl:7.31.0:::::::*
cpe:2.3:a:haxx:curl:7.21.0:::::::*
cpe:2.3:a:haxx:curl:7.28.0:::::::*
cpe:2.3:a:haxx:curl:7.23.0:::::::*
cpe:2.3:a:haxx:curl:7.28.1:::::::*
cpe:2.3:a:haxx:curl:7.18.1:::::::*
cpe:2.3:a:haxx:curl:7.18.2:::::::*
cpe:2.3:a:haxx:curl:7.21.4:::::::*
cpe:2.3:a:haxx:curl:7.19.2:::::::*
cpe:2.3:a:haxx:curl:7.21.7:::::::*
cpe:2.3:a:haxx:curl:7.19.5:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:haxx:libcurl:7.19.0:::::::*
cpe:2.3:a:haxx:libcurl:7.19.6:::::::*
cpe:2.3:a:haxx:libcurl:7.21.2:::::::*
cpe:2.3:a:haxx:libcurl:7.19.4:::::::*
cpe:2.3:a:haxx:libcurl:7.30.0:::::::*
cpe:2.3:a:haxx:libcurl:7.25.0:::::::*
cpe:2.3:a:haxx:libcurl:7.21.3:::::::*
cpe:2.3:a:haxx:libcurl:7.18.0:::::::*
cpe:2.3:a:haxx:libcurl:7.23.0:::::::*
cpe:2.3:a:haxx:libcurl:7.19.1:::::::*
cpe:2.3:a:haxx:libcurl:7.26.0:::::::*
cpe:2.3:a:haxx:libcurl:7.31.0:::::::*
cpe:2.3:a:haxx:libcurl:7.22.0:::::::*
cpe:2.3:a:haxx:libcurl:7.20.0:::::::*
cpe:2.3:a:haxx:libcurl:7.21.0:::::::*
cpe:2.3:a:haxx:libcurl:7.28.0:::::::*
cpe:2.3:a:haxx:libcurl:7.18.2:::::::*
cpe:2.3:a:haxx:libcurl:7.21.5:::::::*
cpe:2.3:a:haxx:libcurl:7.19.3:::::::*
cpe:2.3:a:haxx:libcurl:7.24.0:::::::*
cpe:2.3:a:haxx:libcurl:7.27.0:::::::*
cpe:2.3:a:haxx:libcurl:7.19.7:::::::*
cpe:2.3:a:haxx:libcurl:7.23.1:::::::*
cpe:2.3:a:haxx:libcurl:7.21.6:::::::*
cpe:2.3:a:haxx:libcurl:7.19.5:::::::*
cpe:2.3:a:haxx:libcurl:7.21.7:::::::*
cpe:2.3:a:haxx:libcurl:7.21.1:::::::*
cpe:2.3:a:haxx:libcurl:7.20.1:::::::*
cpe:2.3:a:haxx:libcurl:7.32.0:::::::*
cpe:2.3:a:haxx:libcurl:7.29.0:::::::*
cpe:2.3:a:haxx:libcurl:7.18.1:::::::*
cpe:2.3:a:haxx:libcurl:7.28.1:::::::*
cpe:2.3:a:haxx:libcurl:7.21.4:::::::*
cpe:2.3:a:haxx:libcurl:7.19.2:::::::*