CVE-2013-0308
published 2013-03-08CVE-2013-0308: The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
1.66%
73.7th percentile
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | git | — | — |
| git-scm | git | <= 1.8.1.3 | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
vendor_redhat·2013-02-20·CVSS 4.3
CVE-2013-0308 [MEDIUM] git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Debian
CVE-2013-0308: git - The imap-send command in GIT before 1.8.1.4 does not verify that the server host...
vendor_debian·2013·CVSS 4.3
CVE-2013-0308 [MEDIUM] CVE-2013-0308: git - The imap-send command in GIT before 1.8.1.4 does not verify that the server host...
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-p33f-8gh4-2vgm: The imap-send command in GIT before 1
ghsa_unreviewed·2022-05-05
CVE-2013-0308 [MEDIUM] CWE-20 GHSA-p33f-8gh4-2vgm: The imap-send command in GIT before 1
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command [fedora-all]
bugzilla·2013-02-21·CVSS 4.3
CVE-2013-0308 [MEDIUM] CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command [fedora-all]
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when a
Bugzilla
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command [epel-5]
bugzilla·2013-02-21·CVSS 4.3
CVE-2013-0308 [MEDIUM] CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command [epel-5]
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when
Bugzilla
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
bugzilla·2013-02-11·CVSS 4.3
CVE-2013-0308 [MEDIUM] CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
A security flaw was found in the way git-imap-send command (tool to send a collection of patches from stdin to an IMAP folder) of Git performed IMAP server's SSL x509.v3 certificate validation (server's hostname was previously not verified to match the CN field of the particular certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information.
References:
[1] https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html
[2] https://github.com/git/git/blob/master/imap-send.c#L233
Discussion:
This issue affects the version of the git package, as shipped with Red Hat Enterprise Linux 6.
--
This i
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00007.htmlhttp://marc.info/?l=git&m=136134619013145&w=2http://rhn.redhat.com/errata/RHSA-2013-0589.htmlhttp://secunia.com/advisories/52361http://secunia.com/advisories/52443http://secunia.com/advisories/52467http://support.apple.com/kb/HT5937http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/58148http://www.securitytracker.com/id/1028205https://bugzilla.novell.com/show_bug.cgi?id=804730https://bugzilla.redhat.com/show_bug.cgi?id=909977https://exchange.xforce.ibmcloud.com/vulnerabilities/82329https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txthttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2013-03/msg00007.htmlhttp://marc.info/?l=git&m=136134619013145&w=2http://rhn.redhat.com/errata/RHSA-2013-0589.htmlhttp://secunia.com/advisories/52361http://secunia.com/advisories/52443http://secunia.com/advisories/52467http://support.apple.com/kb/HT5937http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlhttp://www.securityfocus.com/bid/58148http://www.securitytracker.com/id/1028205https://bugzilla.novell.com/show_bug.cgi?id=804730https://bugzilla.redhat.com/show_bug.cgi?id=909977https://exchange.xforce.ibmcloud.com/vulnerabilities/82329https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt
2013-03-08
Published