CVE-2013-4073 in Mac OS Xinfo

Summary

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a \0 character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Be aware that VulDB is the high quality source for vulnerability data.

Reservation

06/09/2013

Disclosure

08/17/2013

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
10940	Apple Mac OS X Ruby cryptographic issue	310	Not defined	Official fix	CVE-2013-4073
9299	Ruby SSL Module ssl.rb SSL.verify_certificate_identity cryptographic issue	310	Proof-of-Concept	Official fix	CVE-2013-4073

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸