CVE-2013-0289 — Project Isync vulnerability

CWE-3108 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 30.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Isync Project Isync

Timeline

PublishedMay 23

Latest updateMay 5

Description

Isync 0.4 before 1.0.6, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶Debianisync_project/isync< 1.0.4-2.2+3

▶NVDisync_project/isync11 versions+10

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-x9p3-334f-m7g8: Isync 0↗2022-05-05

▶

CVEList

CVE-2013-0289: Isync 0↗2014-05-23

▶

OSV

CVE-2013-0289: Isync 0↗2014-05-23

▶

📋Vendor Advisories

Debian

CVE-2013-0289: isync - Isync 0.4 before 1.0.6, does not verify that the server hostname matches a domai...↗2013

▶

💬Community

Bugzilla

CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization [epel-all]↗2013-02-20

▶

Bugzilla

CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization [fedora-all]↗2013-02-20

▶

Bugzilla

CVE-2013-0289 isync: Incorrect server's SSL x509.v3 certificate validation when performing IMAP synchronization↗2013-02-11

▶