Vulnerability Details : CVE-2013-0308
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2013-0308
Probability of exploitation activity in the next 30 days: 0.27%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 64 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-0308
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-0308
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-0308
-
https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt
-
http://www.securitytracker.com/id/1028205
GIT 'git-imap-send' Certificate Validation Flaw Lets Remote Users Spoof an IMAP Server - SecurityTracker
-
http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html
openSUSE-SU-2013:0380-1: moderate: git: check SSL certificates during im
-
http://www.securityfocus.com/bid/58148
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
Oracle Solaris Third Party Bulletin - April 2015
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
#701586 - git: CVE-2013-0308: Incorrect IMAP server's SSL x509.v3 certificate validation - Debian Bug report logs
-
http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html
Apple - Lists.apple.com
-
http://support.apple.com/kb/HT5937
About the security content of Xcode 5.0 - Apple Support
-
https://bugzilla.novell.com/show_bug.cgi?id=804730
Bug 804730 – VUL-1: CVE-2013-0308: git: missing SSL host verification in git-imap-send
-
https://bugzilla.redhat.com/show_bug.cgi?id=909977
909977 – (CVE-2013-0308) CVE-2013-0308 git: Incorrect IMAP server's SSL x509.v3 certificate validation in git-imap-send command
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/82329
GIT git-imap-send spoofing CVE-2013-0308 Vulnerability Report
-
http://rhn.redhat.com/errata/RHSA-2013-0589.html
RHSA-2013:0589 - Security Advisory - Red Hat Customer Portal
-
http://marc.info/?l=git&m=136134619013145&w=2
'[ANNOUNCE] Git v1.8.1.4' - MARC
-
http://lists.opensuse.org/opensuse-updates/2013-03/msg00007.html
openSUSE-SU-2013:0382-1: moderate: git: check SSL certificates during im
Products affected by CVE-2013-0308
- cpe:2.3:a:git-scm:git:*:*:*:*:*:*:*:*