GHSA-ff7q-6vwh-v9m4

Source

https://github.com/advisories/GHSA-ff7q-6vwh-v9m4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-ff7q-6vwh-v9m4/GHSA-ff7q-6vwh-v9m4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ff7q-6vwh-v9m4

Aliases

CVE-2023-52892

Published

2024-06-28T00:33:31Z

Modified

2024-06-28T19:13:30.745817Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Name confusion in x509 Subject Alternative Name fields

Details

In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.

Database specific

{
    "nvd_published_at": "2024-06-27T22:15:10Z",
    "cwe_ids": [
        "CWE-436"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-28T18:57:31Z"
}

References

Affected packages

Packagist / phpseclib/phpseclib

Package

Name: phpseclib/phpseclib
Purl: pkg:composer/phpseclib/phpseclib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.22

Affected versions

0.*

0.3.0

0.3.1

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.3.10

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

Packagist / phpseclib/phpseclib

Package

Name: phpseclib/phpseclib
Purl: pkg:composer/phpseclib/phpseclib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.46

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37

2.0.38

2.0.39

2.0.40

2.0.41

2.0.42

2.0.43

2.0.44

2.0.45

Packagist / phpseclib/phpseclib

Package

Name: phpseclib/phpseclib
Purl: pkg:composer/phpseclib/phpseclib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.33

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.0.19

3.0.20

3.0.21

3.0.22

3.0.23