CVE-2013-4238

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

References

http://bugs.python.org/issue18709

http://lists.opensuse.org/opensuse-updates/2013-09/msg00026.html

http://lists.opensuse.org/opensuse-updates/2013-09/msg00027.html

http://lists.opensuse.org/opensuse-updates/2013-09/msg00028.html

http://lists.opensuse.org/opensuse-updates/2013-09/msg00029.html

http://lists.opensuse.org/opensuse-updates/2013-09/msg00042.html

http://lists.opensuse.org/opensuse-updates/2013-09/msg00043.html

http://rhn.redhat.com/errata/RHSA-2013-1582.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://www.debian.org/security/2014/dsa-2880

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.ubuntu.com/usn/USN-1982-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

https://bugzilla.redhat.com/show_bug.cgi?id=996381

Details

Source: MITRE

Published: 2013-08-18

Updated: 2019-10-25

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.8:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.2150:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.6.6150:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.1:rc1:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.2:rc1:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:*:*

cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:x64:*

cpe:2.3:a:python:python:2.7.2150:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.1.2150:*:*:*:*:*:x64:*

cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*

cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.2.2150:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.3:*:*:*:*:*:*:*

cpe:2.3:a:python:python:3.3:beta2:*:*:*:*:*:*

cpe:2.3:a:python:python:3.4:alpha1:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

Tenable Plugins

View all (33 total)

IDNameProductFamilySeverity
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
127154NewStart CGSL MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0008)NessusNewStart CGSL Local Security Checks
high
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
87681VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)NessusMisc.
medium
79862ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)NessusMisc.
medium
79762VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilitiesNessusVMware ESX Local Security Checks
medium
79163CentOS 6 : python (CESA-2013:1582)NessusCentOS Local Security Checks
medium
78979RHEL 6 : rhev-hypervisor6 (RHSA-2013:1527)NessusRed Hat Local Security Checks
high
75315openSUSE Security Update : python3 (openSUSE-SU-2014:0498-1)NessusSuSE Local Security Checks
high
75294openSUSE Security Update : python (openSUSE-SU-2014:0380-1)NessusSuSE Local Security Checks
high
75138openSUSE Security Update : python3 (openSUSE-SU-2013:1439-1)NessusSuSE Local Security Checks
medium
75137openSUSE Security Update : python (openSUSE-SU-2013:1438-1)NessusSuSE Local Security Checks
medium
75136openSUSE Security Update : python3 (openSUSE-SU-2013:1437-1)NessusSuSE Local Security Checks
medium
75135openSUSE Security Update : python (openSUSE-SU-2013:1440-1)NessusSuSE Local Security Checks
medium
73337LibreOffice < 4.1.5 / 4.2.0 Python Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
medium
73336LibreOffice < 4.1.5 / 4.2.0 Python Multiple VulnerabilitiesNessusWindows
medium
73065Debian DSA-2880-1 : python2.7 - security updateNessusDebian Local Security Checks
high
72873SuSE 11.3 Security Update : python (SAT Patch Number 8892)NessusSuSE Local Security Checks
medium
71199Scientific Linux Security Update : python on SL6.x i386/x86_64 (20131121)NessusScientific Linux Local Security Checks
medium
71128Oracle Linux 6 : python (ELSA-2013-1582)NessusOracle Linux Local Security Checks
medium
71006RHEL 6 : python (RHSA-2013:1582)NessusRed Hat Local Security Checks
medium
70903Amazon Linux AMI : python26 (ALAS-2013-241)NessusAmazon Linux Local Security Checks
medium
70724SuSE 11.2 / 11.3 Security Update : Python (SAT Patch Numbers 8404 / 8405)NessusSuSE Local Security Checks
medium
70269Ubuntu 12.10 / 13.04 : python3.3 vulnerabilities (USN-1985-1)NessusUbuntu Local Security Checks
medium
70268Ubuntu 12.04 LTS / 12.10 : python3.2 vulnerabilities (USN-1984-1)NessusUbuntu Local Security Checks
medium
70267Ubuntu 12.04 LTS / 12.10 / 13.04 : python2.7 vulnerabilities (USN-1983-1)NessusUbuntu Local Security Checks
medium
70266Ubuntu 10.04 LTS : python2.6 vulnerability (USN-1982-1)NessusUbuntu Local Security Checks
medium
70224Amazon Linux AMI : python27 (ALAS-2013-220)NessusAmazon Linux Local Security Checks
medium
69487Fedora 19 : python3-3.3.2-6.fc19 (2013-15254)NessusFedora Local Security Checks
medium
69463Fedora 19 : python-2.7.5-4.fc19 (2013-15146)NessusFedora Local Security Checks
medium
69439Mandriva Linux Security Advisory : python (MDVSA-2013:214)NessusMandriva Local Security Checks
medium