Fluid Attacks Database

Description

httplib2 incorrectly checks SSL certificate httplib2 prior to version 0.10.1, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	httplib2	>=0 <0.10.1	0.10.1
debian 12	python-httplib2	>=0 <0.8-2	0.8-2
debian 14	python-httplib2	>=0 <0.8-2	0.8-2
debian 11	python-httplib2	>=0 <0.8-2	0.8-2
debian 13	python-httplib2	>=0 <0.8-2	0.8-2

Aliases

1. CVE-2013-20372. NVD-2013-20373. OSV-2013-20374. OSV-DEBIAN-2013-20375. GCVE-2013-20376. SECURITY-TRACKER-CVE-2013-2037

References

1. https://github.com/httplib2/httplib2/issues/52. https://github.com/httplib2/httplib2/commit/40cbdcc8586f2292fa0e76a3e8c012f0cc9ed9193. https://bugs.launchpad.net/httplib2/+bug/11752724. https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2014-81.yaml5. https://web.archive.org/web/20200228052625/http://www.securityfocus.com/bid/521796. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=7066027. http://code.google.com/p/httplib2/issues/detail?id=2828. http://seclists.org/oss-sec/2013/q2/2579. http://www.ubuntu.com/usn/USN-1948-1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.