CVE-2013-4545
Description
libcurl 7.18.0-7.32.0 with OpenSSL incorrectly disables hostname verification when peer verification is disabled, allowing MITM attacks with arbitrary valid certificates.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
libcurl 7.18.0-7.32.0 with OpenSSL incorrectly disables hostname verification when peer verification is disabled, allowing MITM attacks with arbitrary valid certificates.
Vulnerability
In libcurl versions 7.18.0 through 7.32.0, when built with OpenSSL, disabling CURLOPT_SSL_VERIFYPEER (digital signature verification) also inadvertently disables CURLOPT_SSL_VERIFYHOST (certificate CN and SAN name field verification). This means that applications relying on peer verification alone, without custom hostname checks, become vulnerable to server impersonation [1].
Exploitation
An attacker capable of performing a man-in-the-middle attack can present any valid certificate issued by a trusted certificate authority. Since hostname verification is skipped, the connection will succeed despite the certificate not matching the intended server name. No user interaction is required beyond the application using libcurl with peer verification disabled [1].
Impact
Successful exploitation allows the attacker to spoof an SSL/TLS server, leading to potential disclosure of sensitive information or alteration of encrypted communications [2]. The impact is limited to applications that explicitly disable CURLOPT_SSL_VERIFYPEER while not independently verifying the hostname.
Mitigation
Upgrade to libcurl 7.33.0 or later, where the two verification options operate independently [1]. Alternatively, avoid disabling CURLOPT_SSL_VERIFYPEER, build libcurl with a different TLS backend, or apply the patch referenced in the advisory. Ubuntu users can update to the fixed package version via USN-2048-1 [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
71cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:haxx:curl:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.21.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.26.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.27.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.30.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:curl:7.32.0:*:*:*:*:*:*:*
- (no CPE)range: 7.18.0 through 7.32.0
cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*+ 34 more
- cpe:2.3:a:haxx:libcurl:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.19.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.2:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.3:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
- (no CPE)range: 7.18.0 through 7.32.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- curl.haxx.se/docs/adv_20131115.htmlnvdVendor Advisory
- lists.opensuse.org/opensuse-updates/2013-12/msg00047.htmlnvd
- lists.opensuse.org/opensuse-updates/2013-12/msg00053.htmlnvd
- www.debian.org/security/2013/dsa-2798nvd
- www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.htmlnvd
- www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlnvd
- www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlnvd
- www.ubuntu.com/usn/USN-2048-1nvd
- h20564.www2.hp.com/hpsc/doc/public/displaynvd
News mentions
0No linked articles in our index yet.