CVE-2024-47619

CWE-295Improper Certificate Validation5 documents5 sources
Severity
7.5HIGH
EPSS
0.5%
top 33.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Syslog-ng Syslog-ngOneidentity Syslog-ngDebian Debian Linux
Timeline
PublishedMay 7
Latest updateMay 13

Description

syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5syslog-ng/syslog-ng< 4.8.2
Debiansyslog-ng< 3.28.1-2+deb11u2+3

Also affects: Debian Linux 11.0

Patches

Patch: github.com

🔴Vulnerability Details

2
CVEList
tranport: TLS host name wildcard matching too lax2025-05-07
OSV
CVE-2024-47619: syslog-ng is an enhanced log daemo2025-05-07

📋Vendor Advisories

2
Microsoft
tranport: TLS host name wildcard matching too lax2025-05-13
Debian
CVE-2024-47619: syslog-ng - syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match(...2024
CVE-2024-47619 (HIGH CVSS 7.5) | syslog-ng is an enhanced log daemo | cvebase.io