CVE-2013-4238Improper Input Validation in Python

CWE-20Improper Input Validation26 documents8 sources
Severity
4.3MEDIUMNVD
OSV5.9
EPSS
1.4%
top 19.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Debian Python2.7Canonical Ubuntu LinuxOpensuse+4 more
Timeline
PublishedAug 18
Latest updateMay 13

Description

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages6 packages

debiandebian/python2.7< python2.7 2.7.5-8 (bullseye)
NVDpython/python29 versions+28
NVDopensuse/opensuse11.4, 12.2, 12.3+2

Also affects: Ubuntu Linux 10.04

Patches

Patch: bugs.python.orgPatch: bugzilla.redhat.comPatch: bugs.python.org

🔴Vulnerability Details

2
GHSA
GHSA-vp8q-678w-8xq9: The ssl2022-05-13
OSV
CVE-2013-4238: The ssl2013-08-18

📋Vendor Advisories

7
VMware
VMware vSphere product updates address security vulnerabilities2014-12-04
Ubuntu
Python 2.6 vulnerability2013-10-01
Ubuntu
Python 3.3 vulnerabilities2013-10-01
Ubuntu
Python 2.7 vulnerabilities2013-10-01
Ubuntu
Python 3.2 vulnerabilities2013-10-01

💬Community

16
Bugzilla
CVE-2013-4238 python26: python: hostname check bypassing vulnerability in SSL module [epel-5]2013-08-20
Bugzilla
CVE-2013-4238 python: hostname check bypassing vulnerability in SSL module [fedora-all]2013-08-19
Bugzilla
CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client2013-08-14
Bugzilla
CVE-2013-4238 python-requests: python: hostname check bypassing vulnerability in SSL module [fedora-all]2013-08-13
Bugzilla
CVE-2013-4238 python-backports-ssl_match_hostname: python: hostname check bypassing vulnerability in SSL module [epel-6]2013-08-13