Improper Data Handling

Affecting python2.7 package, versions <2.7.9-1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE
CVE-2013-7440
CWE
CWE-19
Snyk ID
SNYK-DEBIAN9-PYTHON27-306563
Disclosed
07 Jun, 2016
Published
07 Jun, 2016