CVE-2013-2037 : httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published 2014-01-18 21:55:04

Updated 2018-12-06 20:53:34

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2013-2037

Canonical » Ubuntu Linux » Version: 13.04
cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 10.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Matching versions
Httplib2 Project » Httplib2
Versions up to, including, (<=) 0.7.2
cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*
Matching versions
Httplib2 Project » Httplib2 » Version: 0.8
cpe:2.3:a:httplib2_project:httplib2:0.8:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-2037

EPSS FAQ

0.49%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 64 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-2037

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
2.6	LOW	AV:N/AC:H/Au:N/C:N/I:P/A:N	4.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-2037

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-2037

https://bugs.launchpad.net/httplib2/+bug/1175272

Bug #1175272 “requests permitted after invalid certificate is re...” : Bugs : httplib2
Exploit;Patch
http://code.google.com/p/httplib2/issues/detail?id=282

Google Code Archive - Long-term storage for Google Code Project Hosting.
Exploit;Third Party Advisory
http://www.ubuntu.com/usn/USN-1948-1

USN-1948-1: httplib2 vulnerability | Ubuntu security notices
Third Party Advisory
http://seclists.org/oss-sec/2013/q2/257

oss-sec: Re: CVE Request: httplib2 ssl cert incorrect error handling
Mailing List;Third Party Advisory
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602

#706602 - python-httplib2: CVE-2013-2037 - Debian Bug report logs
Mailing List;Issue Tracking;Third Party Advisory
http://www.securityfocus.com/bid/52179

python-httplib2 CVE-2013-2037 SSL Certificate Validation Security Bypass Vulnerability
Third Party Advisory;VDB Entry

Jump to

Vulnerability Details : CVE-2013-2037

Products affected by CVE-2013-2037

Exploit prediction scoring system (EPSS) score for CVE-2013-2037

CVSS scores for CVE-2013-2037

CWE ids for CVE-2013-2037

References for CVE-2013-2037