CVE-2013-2037 — LOW (2.6) — White Hats Nepal

Q: How severe is CVE-2013-2037?

CVE-2013-2037 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-2037?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Httplib2 Project Httplib2.

Vulnerability Description

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS Score

2.6

LOW

AV:N/AC:H/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	10.04
Httplib2 Project	Httplib2	<= 0.7.2

Related Weaknesses (CWE)

CWE-20

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602Issue TrackingMailing ListThird Party Advisory
http://code.google.com/p/httplib2/issues/detail?id=282ExploitThird Party Advisory
http://seclists.org/oss-sec/2013/q2/257Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/52179Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-1948-1Third Party Advisory
https://bugs.launchpad.net/httplib2/+bug/1175272ExploitPatch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602Issue TrackingMailing ListThird Party Advisory
http://code.google.com/p/httplib2/issues/detail?id=282ExploitThird Party Advisory
http://seclists.org/oss-sec/2013/q2/257Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/52179Third Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-1948-1Third Party Advisory
https://bugs.launchpad.net/httplib2/+bug/1175272ExploitPatch

FAQ

What is CVE-2013-2037?

CVE-2013-2037 is a vulnerability with a CVSS score of 2.6 (LOW). httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X...

How severe is CVE-2013-2037?

CVE-2013-2037 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-2037?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Httplib2 Project Httplib2.