CVE-2023-52892Interpretation Conflict in Phpseclib

CWE-436Interpretation Conflict7 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 60.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PhpseclibDebian Php-phpseclibDebian Php-phpseclib3+1 more
Timeline
PublishedJun 27
Latest updateApr 2

Description

In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

debiandebian/phpseclib< php-phpseclib 2.0.42-1+deb12u3 (bookworm)
NVDphpseclib/phpseclib1.0.01.0.22+2
Packagistphpseclib/phpseclib2.0.02.0.46+2
debiandebian/php-phpseclib< php-phpseclib 2.0.42-1+deb12u3 (bookworm)
debiandebian/php-phpseclib3< php-phpseclib 2.0.42-1+deb12u3 (bookworm)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
phpseclib vulnerabilities2025-04-02
GHSA
Name confusion in x509 Subject Alternative Name fields2024-06-28
OSV
Name confusion in x509 Subject Alternative Name fields2024-06-28
OSV
CVE-2023-52892: In phpseclib before 12024-06-27

📋Vendor Advisories

2
Ubuntu
phpseclib vulnerabilities2025-04-02
Debian
CVE-2023-52892: php-phpseclib - In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some chara...2023