CVE-2013-0308 - OpenCVE

The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Git-scm	Git

Configuration 1 [-]

cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html
http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html
http://lists.opensuse.org/opensuse-updates/2013-03/msg00007.html
http://marc.info/?l=git&m=136134619013145&w=2
http://rhn.redhat.com/errata/RHSA-2013-0589.html
http://secunia.com/advisories/52361	Vendor Advisory
http://secunia.com/advisories/52443	Vendor Advisory
http://secunia.com/advisories/52467	Vendor Advisory
http://support.apple.com/kb/HT5937
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
http://www.securityfocus.com/bid/58148
http://www.securitytracker.com/id/1028205
https://bugzilla.novell.com/show_bug.cgi?id=804730
https://bugzilla.redhat.com/show_bug.cgi?id=909977
https://exchange.xforce.ibmcloud.com/vulnerabilities/82329
https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-03-08T21:00:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0308

JSON object: View

NVD Information

Status : Modified

Published: 2013-03-08T21:55:03.170

Modified: 2021-01-26T14:55:18.397

Link: CVE-2013-0308

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-02-20T00:00:00", "descriptions": [{"lang": "en", "value": "The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "1028205", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1028205"}, {"name": "RHSA-2013:0589", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0589.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.apple.com/kb/HT5937"}, {"name": "git-gitimapsend-spoofing(82329)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82329"}, {"name": "APPLE-SA-2013-09-18-3", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html"}, {"name": "52361", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52361"}, {"tags": ["x_refsource_MISC"], "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586"}, {"name": "[ANNOUNCE] 20130220 Git v1.8.1.4", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=git&m=136134619013145&w=2"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"}, {"name": "openSUSE-SU-2013:0380", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html"}, {"name": "58148", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/58148"}, {"name": "52443", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52443"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909977"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.novell.com/show_bug.cgi?id=804730"}, {"name": "openSUSE-SU-2013:0382", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00007.html"}, {"name": "52467", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52467"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0308", "datePublished": "2013-03-08T21:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2017-08-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B3F5077-5074-47E0-9C63-67A4C6ECB1DB", "versionEndIncluding": "1.8.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}, {"lang": "es", "value": "El comando imap-send en GIT antes de v1.8.1.4 no comprueba si el nombre del servidor coincide con un nombre de dominio en el nombre com\u00fan del sujeto (CN) o el campo subjectAltName del certificado X.509, lo que permite atacantes MITM (Man-In-The-Middle) suplantar servidores SSL de su elecci\u00f3n a trav\u00e9s de un certificado v\u00e1lido.\r\n"}], "id": "CVE-2013-0308", "lastModified": "2021-01-26T14:55:18.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-03-08T21:55:03.170", "references": [{"source": "secalert@redhat.com", "url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586"}, {"source": "secalert@redhat.com", "url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2013-03/msg00007.html"}, {"source": "secalert@redhat.com", "url": "http://marc.info/?l=git&m=136134619013145&w=2"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2013-0589.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52361"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52443"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52467"}, {"source": "secalert@redhat.com", "url": "http://support.apple.com/kb/HT5937"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/58148"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1028205"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.novell.com/show_bug.cgi?id=804730"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=909977"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/82329"}, {"source": "secalert@redhat.com", "url": "https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}