CVE-2013-7449
published 2016-04-21CVE-2013-7449: The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name…
PriorityP432medium6.5CVSS 3.0
AVNACLPRNUINSUCLILAN
EPSS
0.76%
50.5th percentile
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | hexchat | < hexchat 2.10.2-1 (bookworm) | hexchat 2.10.2-1 (bookworm) |
| hexchat_project | hexchat | <= 2.10.1 | — |
| hexchat_project | hexchat | >= 0 < 2.10.2-1 | 2.10.2-1 |
| hexchat_project | hexchat | >= 0 < 2.10.2-1 | 2.10.2-1 |
| hexchat_project | hexchat | >= 0 < 2.10.2-1 | 2.10.2-1 |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
vendor_redhat·2014-11-19·CVSS 6.5
CVE-2013-7449 [MEDIUM] CWE-297 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Package: xchat (Red Hat Enterprise Linux 5) - Will not fix
Package: xchat (Red Hat Enterprise Linux 6) - Will not fix
Package: xchat (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2013-7449: hexchat - The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, ...
vendor_debian·2013·CVSS 6.5
CVE-2013-7449 [MEDIUM] CVE-2013-7449: hexchat - The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, ...
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Scope: local
bookworm: resolved (fixed in 2.10.2-1)
bullseye: resolved (fixed in 2.10.2-1)
sid: resolved (fixed in 2.10.2-1)
trixie: resolved (fixed in 2.10.2-1)
GHSA
GHSA-vcmj-h4g7-8fpr: The ssl_do_connect function in common/server
ghsa_unreviewed·2022-05-13
CVE-2013-7449 [MEDIUM] GHSA-vcmj-h4g7-8fpr: The ssl_do_connect function in common/server
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
OSV
CVE-2013-7449: The ssl_do_connect function in common/server
osv·2016-04-21·CVSS 6.5
CVE-2013-7449 [MEDIUM] CVE-2013-7449: The ssl_do_connect function in common/server
The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-7449 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates [fedora-all]
bugzilla·2015-01-29·CVSS 6.5
CVE-2013-7449 [MEDIUM] CVE-2013-7449 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates [fedora-all]
CVE-2013-7449 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in th
Bugzilla
CVE-2013-7449 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
bugzilla·2014-03-28·CVSS 6.5
CVE-2013-7449 [MEDIUM] CVE-2013-7449 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
CVE-2013-7449 xchat/hexchat: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
XChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.
Discussion:
Acknowledgements:
Red Hat would like to thank Nicholas Bebout for reporting this issue.
---
This was fixed in hexchat this past November:
https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
It was originally reported in April 2013:
https://github.com/hexchat/hexchat/issues/524
I'm not sure if th
http://hexchat.readthedocs.org/en/latest/changelog.htmlhttp://www.ubuntu.com/usn/USN-2945-1https://bugzilla.redhat.com/show_bug.cgi?id=1081839https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02dhttps://github.com/hexchat/hexchat/issues/524http://hexchat.readthedocs.org/en/latest/changelog.htmlhttp://www.ubuntu.com/usn/USN-2945-1https://bugzilla.redhat.com/show_bug.cgi?id=1081839https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02dhttps://github.com/hexchat/hexchat/issues/524
2016-04-21
Published