Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2013-4238
CVE information
Published
Last Modified
CVSSv2.0 Severity
Impact Analysis
Description
The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408..
CVSSv2.0 Score
- Severity
- Medium
- Base Score
- 4.3/10
- Exploit Score
- 8.6/10
- Access Vector
- Network
- Access Complexity
- Medium
- Authentication Required
- None
- Impact Score
- 2.9/10
- Confidentiality Impact
- None
- Availability Impact
- None
- Integrity Impact
- Partial
Products Affected
CPE | Affected | Vulnerable | Excluding | Edit |
---|---|---|---|---|
cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:x64:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.2.2150:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.2150:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1.2150:*:*:*:*:*:x64:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.8:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.1:rc1:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.2:rc1:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.6150:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.4:alpha1:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.7.2150:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.3:beta2:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:* |
Yes
|
- | - | |
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:* |
Yes
|
- | - |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=996381
- http://bugs.python.org/issue18709
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00028.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00026.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00029.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00027.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00043.html
- http://lists.opensuse.org/opensuse-updates/2013-09/msg00042.html
- http://www.ubuntu.com/usn/USN-1982-1
- http://rhn.redhat.com/errata/RHSA-2013-1582.html
- http://www.debian.org/security/2014/dsa-2880
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html