Description

The ssl.match_hostname function in the SSL module in Python 2.6 through 3.4 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Remediation

References

CVE-2013-4238

Related Vulnerabilities

WordPress Plugin RokStories Multiple Vulnerabilities (1.25)

WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.2)

WordPress Plugin Social Like Box and Page by WpDevArt Cross-Site Scripting (0.8.40)

CKEditor Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2023-31541)

WebLogic Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression La Vulnerability (CVE-2021-28170)

Severity

Medium

Classification

CVE-2013-4238 CWE-20

Tags

Missing Update Known Vulnerabilities