CVE-2013-2037

Exp

httplib2 0.7.2, 0.8, and earlier, after an initial connection is made, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 2014-01-18 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-2037 is rated Exploit Available (50/100): CVSS Low severity, with medium exploitation likelihood (EPSS 0.49%). 2 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2013-2037

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2013-2037

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-03-30 0.91% 0.49% -0.42%
2 2025-03-29 0.49% 0.91% +0.42%
3 2025-03-17 0.49%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-2037

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
2.6 2.0 LOW
AV:N/AC:H/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 4.9 2.9 [email protected]

Weakness enumeration for CVE-2013-2037

GitHub Security Advisory for CVE-2013-2037

GHSA-q48q-77qv-cf9p · Severity: medium · Ecosystem: pip — httplib2 incorrectly checks SSL certificate

OS Trackers for CVE-2013-2037

vendor priority summary link
debian low CVE-2013-2037 low priority: Debian including 1 source packages (python-httplib2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2013-2037
redhat medium https://access.redhat.com/security/cve/CVE-2013-2037
ubuntu medium CVE-2013-2037 medium priority: Ubuntu including 1 source packages (python-httplib2), 7 status rows across 7 suites (hardy, lucid, oneiric, precise, quantal, raring, upstream): released 5, ignored 2. https://ubuntu.com/security/CVE-2013-2037

Affected software / configurations for CVE-2013-2037

Vendor Product Version Raw CPE
canonical ubuntu_linux 10.04 cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 12.04 cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 12.10 cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
canonical ubuntu_linux 13.04 cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
httplib2_project httplib2 <= 0.7.2 cpe:2.3:a:httplib2_project:httplib2:*:*:*:*:*:*:*:*
httplib2_project httplib2 0.8 cpe:2.3:a:httplib2_project:httplib2:0.8:*:*:*:*:*:*:*

References for CVE-2013-2037

URL Tags
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=706602 Issue Tracking Mailing List Third Party Advisory
http://code.google.com/p/httplib2/issues/detail?id=282 Exploit Third Party Advisory
http://seclists.org/oss-sec/2013/q2/257 Mailing List Third Party Advisory
http://www.securityfocus.com/bid/52179 Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-1948-1 Third Party Advisory
https://bugs.launchpad.net/httplib2/+bug/1175272 Exploit Patch
cvelogic Threat Intelligence