2.6

CVE-2013-2037

Exploit
httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CanonicalUbuntu Linux Version10.04 SwEditionlts
CanonicalUbuntu Linux Version12.04 SwEditionlts
CanonicalUbuntu Linux Version12.10
CanonicalUbuntu Linux Version13.04
Httplib2 ProjectHttplib2 Version <= 0.7.2
Httplib2 ProjectHttplib2 Version0.8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.32% 0.672
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 2.6 4.9 2.9
AV:N/AC:H/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602
Third Party Advisory
Mailing List
Issue Tracking
http://code.google.com/p/httplib2/issues/detail?id=282
Third Party Advisory
Exploit
http://seclists.org/oss-sec/2013/q2/257
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/52179
Third Party Advisory
VDB Entry
http://www.ubuntu.com/usn/USN-1948-1
Third Party Advisory
https://bugs.launchpad.net/httplib2/+bug/1175272
Patch
Exploit