CVE-2013-7440
Published: 7 June 2016
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.
Notes
Author | Note |
---|---|
tyhicks | This CVE is specifically for the multiple wildcards issue and not the change in behavior from RFC 2818 to RFC 6125 Note that revision 10d0edadbcdd changes the behavior over to RFC 6125 which may cause compatibability issues in old releases |
mdeslaur | since this introduces a behaviour change, we will not be fixing this in stable releases. |
Priority
Status
Package | Release | Status |
---|---|---|
python2.7 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
(doesn't implement ssl.match_hostname)
|
trusty |
Not vulnerable
(contains the RFC 6125 code change)
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
python3.2 Launchpad, Ubuntu, Debian |
precise |
Ignored
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
python3.4 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
trusty |
Not vulnerable
(contains the RFC 6125 code change)
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |