CVE-2013-4073

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

References

http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel!

http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html

http://lists.opensuse.org/opensuse-updates/2013-07/msg00042.html

http://lists.opensuse.org/opensuse-updates/2013-07/msg00044.html

http://rhn.redhat.com/errata/RHSA-2013-1090.html

http://rhn.redhat.com/errata/RHSA-2013-1103.html

http://rhn.redhat.com/errata/RHSA-2013-1137.html

http://support.apple.com/kb/HT6150

http://www.debian.org/security/2013/dsa-2738

http://www.debian.org/security/2013/dsa-2809

http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

http://www.ubuntu.com/usn/USN-1902-1

https://bugzilla.redhat.com/show_bug.cgi?id=979251

https://puppet.com/security/cve/cve-2013-4073

Details

Source: MITRE

Published: 2013-08-18

Updated: 2018-08-13

Type: CWE-310

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ruby-lang:ruby:1.8.6-26:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p160:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p17:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p173:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p174:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p22:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p248:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p249:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p299:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p301:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p302:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p330:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p334:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p352:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p357:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p358:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p370:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p371:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p373:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p71:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:p72:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview3:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.8.7:preview4:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:*:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p0:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p125:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p194:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p286:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p383:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p385:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p392:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p426:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:1.9.3:p429:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:2.0.0:p0:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:2.0.0:p195:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:2.0.0:preview1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:2.0.0:preview2:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:2.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:ruby-lang:ruby:2.0.0:rc2:*:*:*:*:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
124931EulerOS Virtualization 3.0.1.0 : ruby (EulerOS-SA-2019-1428)NessusHuawei Local Security Checks
critical
119342RHEL 6 : ruby193-ruby (RHSA-2013:1137)NessusRed Hat Local Security Checks
medium
80755Oracle Solaris Third-Party Patch Update : ruby (cve_2013_4073_cryptographic_issues)NessusSolaris Local Security Checks
medium
75082openSUSE Security Update : ruby19 (openSUSE-SU-2013:1181-1)NessusSuSE Local Security Checks
medium
75079openSUSE Security Update : ruby19 (openSUSE-SU-2013:1179-1)NessusSuSE Local Security Checks
medium
72873SuSE 11.3 Security Update : python (SAT Patch Number 8892)NessusSuSE Local Security Checks
medium
8138Mac OS X < 10.9.2 Multiple Vulnerabilities Nessus Network MonitorWeb Clients
critical
72688Mac OS X Multiple Vulnerabilities (Security Update 2014-001) (BEAST)NessusMacOS X Local Security Checks
critical
72687Mac OS X 10.9.x < 10.9.2 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
71426PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesNessusCGI abuses
high
71220Debian DSA-2809-1 : ruby1.8 - several vulnerabilitiesNessusDebian Local Security Checks
medium
70663Puppet Enterprise < 3.0.1 Multiple VulnerabilitiesNessusCGI abuses
medium
70561Mac OS X 10.x < 10.9 Multiple Vulnerabilities (BEAST)NessusMacOS X Local Security Checks
high
69398Debian DSA-2738-1 : ruby1.9.1 - several vulnerabilitiesNessusDebian Local Security Checks
medium
69168SuSE 11.2 / 11.3 Security Update : ruby (SAT Patch Numbers 8026 / 8027)NessusSuSE Local Security Checks
medium
69118SuSE 10 Security Update : ruby (ZYPP Patch Number 8639)NessusSuSE Local Security Checks
medium
69089Mandriva Linux Security Advisory : ruby (MDVSA-2013:201)NessusMandriva Local Security Checks
medium
68976Oracle Linux 5 / 6 : ruby (ELSA-2013-1090)NessusOracle Linux Local Security Checks
medium
68946Scientific Linux Security Update : ruby on SL5.x, SL6.x i386/srpm/x86_64 (20130717)NessusScientific Linux Local Security Checks
medium
68944RHEL 5 / 6 : ruby (RHSA-2013:1090)NessusRed Hat Local Security Checks
medium
68941CentOS 5 / 6 : ruby (CESA-2013:1090)NessusCentOS Local Security Checks
medium
68896Fedora 19 : ruby-2.0.0.247-14.fc19 (2013-12663)NessusFedora Local Security Checks
medium
67339Fedora 18 : ruby-1.9.3.448-31.fc18 (2013-12123)NessusFedora Local Security Checks
medium
67334Fedora 17 : ruby-1.9.3.448-31.fc17 (2013-12062)NessusFedora Local Security Checks
medium
67251FreeBSD : ruby -- Hostname check bypassing vulnerability in SSL client (ebd877b9-7ef4-4375-b1fd-c67780581898)NessusFreeBSD Local Security Checks
medium
67224Ubuntu 12.04 LTS / 12.10 / 13.04 : ruby1.8, ruby1.9.1 vulnerability (USN-1902-1)NessusUbuntu Local Security Checks
medium
67009Slackware 13.1 / 13.37 / 14.0 / current : ruby (SSA:2013-178-01)NessusSlackware Local Security Checks
medium