CVE-2013-2099Inefficient Algorithmic Complexity in Python-tornado

CWE-399CWE-407Inefficient Algorithmic Complexity26 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
5.2%
top 10.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Debian BZRDebian LinkcheckerDebian Python-tornado+4 more
Timeline
PublishedOct 9
Latest updateMay 17

Description

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages6 packages

debiandebian/python2.7< bzr 2.6.0~bzr6574-1 (bookworm)
debiandebian/python-tornado< bzr 2.6.0~bzr6574-1 (bookworm)
debiandebian/python-urllib3< bzr 2.6.0~bzr6574-1 (bookworm)
NVDpython/python9 versions+8
debiandebian/bzr< bzr 2.6.0~bzr6574-1 (bookworm)

Also affects: Ubuntu Linux 12.04, 12.10, 13.04

Patches

Patch: bugs.python.orgPatch: bugs.python.org

🔴Vulnerability Details

2
GHSA
GHSA-cqcg-qrcv-vr6v: Algorithmic complexity vulnerability in the ssl2022-05-17
OSV
CVE-2013-2099: Algorithmic complexity vulnerability in the ssl2013-10-09

📋Vendor Advisories

5
Ubuntu
Python 3.3 vulnerabilities2013-10-01
Ubuntu
Python 2.7 vulnerabilities2013-10-01
Ubuntu
Python 3.2 vulnerabilities2013-10-01
Red Hat
python: ssl.match_hostname() DoS via certificates with specially crafted hostname wildcard patterns2013-05-15
Debian
CVE-2013-2099: bzr - Algorithmic complexity vulnerability in the ssl.match_hostname function in Pytho...2013

💬Community

18
Bugzilla
CVE-2013-2099 CVE-2013-7440 python-pymongo: various flaws [fedora-all]2016-02-03
Bugzilla
CVE-2013-2099 CVE-2013-7440 python-pymongo: various flaws [fedora-all]2016-02-03
Bugzilla
CVE-2013-2099 CVE-2013-7440 python-pymongo: various flaws [fedora-all]2016-02-03
Bugzilla
CVE-2013-2099 CVE-2013-7440 python-pymongo: various flaws [fedora-all]2015-06-12
Bugzilla
CVE-2013-2099 CVE-2013-7440 python-pymongo: various flaws [epel-all]2015-06-12