CVE-2013-2037

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2013-2037

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2013-2037.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2013-2037

Aliases

GHSA-q48q-77qv-cf9p
PYSEC-2014-81

Downstream

DEBIAN-CVE-2013-2037

Withdrawn

2026-01-27T04:13:09.289700Z

Published

2014-01-18T21:55:03Z

Modified

2026-01-27T04:13:09.289700Z

Summary

[none]

Details

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602
http://code.google.com/p/httplib2/issues/detail?id=282
http://seclists.org/oss-sec/2013/q2/257
http://www.securityfocus.com/bid/52179
http://www.ubuntu.com/usn/USN-1948-1
https://bugs.launchpad.net/httplib2/+bug/1175272

CVE-2013-2037

Affected packages