CVE-2013-6422
Description
In libcurl's GnuTLS backend, disabling certificate verification also disables hostname verification, enabling MITM attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In libcurl's GnuTLS backend, disabling certificate verification also disables hostname verification, enabling MITM attacks.
Vulnerability
In libcurl versions 7.21.4 through 7.33.0 built with the GnuTLS backend, when an application disables digital signature verification via CURLOPT_SSL_VERIFYPEER, libcurl also incorrectly disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN hostname fields [1]. This contradicts the intended design where the two options are independent. The curl command line tool is not affected because it enables or disables both simultaneously [1].
Exploitation
An attacker with network access can conduct a man-in-the-middle attack by presenting a valid certificate signed by a CA (since VERIFYPEER is off, no CA validation) but with a mismatched hostname, which would normally be caught by VERIFYHOST. The attacker needs to be in a position to intercept TLS traffic [2]. The application must be using the GnuTLS backend and have disabled VERIFYPEER while expecting VERIFYHOST to still be enforced. No additional authentication is required beyond that network position.
Impact
Successful exploitation allows the attacker to spoof a server and intercept or modify encrypted communications, leading to disclosure of sensitive information or alteration of data [1][2]. The attacker gains a man-in-the-middle position with the ability to decrypt and re-encrypt traffic between the client and the intended server.
Mitigation
The vulnerability is fixed in libcurl 7.34.0, released December 17, 2013 [1]. Ubuntu provided updated packages in USN-2058-1 [2]. Applications should upgrade to libcurl 7.34.0 or later. If upgrading is not possible, the patch from the curl advisory can be applied [1]. This issue is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:haxx:libcurl:7.21.4:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.5:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.6:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.21.7:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.23.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.26.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.27.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.30.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.31.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.32.0:*:*:*:*:*:*:*
- cpe:2.3:a:haxx:libcurl:7.33.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.