Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2013-4248

Published: 18/08/2013 Updated: 07/11/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Canonical

Vulnerability Summary

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP prior to 5.4.18 and 5.5.x prior to 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle malicious users to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Vulnerable Product Search on Vulmon Subscribe to Product

canonical ubuntu linux 13.04

canonical ubuntu linux 12.10

canonical ubuntu linux 12.04

canonical ubuntu linux 10.04

php php 5.2.9

php php 5.4.12

php php 5.3.10

php php 5.3.27

php php 5.1.5

php php 5.4.15

php php 5.3.6

php php 5.3.9

php php 5.1.2

php php 5.3.1

php php 5.5.0

php php 5.1.1

php php 5.3.18

php php 5.2.14

php php 5.0.0

php php 5.1.6

php php 5.2.16

php php 5.5.1

php php 5.3.24

php php 5.3.15

php php 5.3.8

php php 5.2.7

php php 5.2.2

php php 5.0.5

php php 5.4.14

php php 5.4.8

php php 5.0.1

php php 5.1.4

php php 5.3.14

php php 5.2.5

php php 5.3.25

php php 5.0.4

php php 5.2.12

php php 5.3.20

php php 5.4.9

php php 5.4.11

php php 5.3.21

php php 5.4.10

php php 5.3.22

php php 5.4.2

php php 5.3.12

php php 5.2.11

php php 5.2.6

php php 5.4.16

php php 5.2.17

php php 5.3.0

php php 5.4.5

php php 5.2.3

php php 5.3.3

php php 5.0.3

php php 5.3.23

php php 5.3.7

php php 5.1.0

php php 5.2.13

php php 5.4.6

php php 5.2.0

php php 5.2.4

php php 5.3.11

php php 5.4.13

php php 5.3.17

php php 5.4.0

php php 5.3.2

php php 5.4.3

php php 5.3.4

php php 5.3.16

php php 5.1.3

php php 5.2.10

php php 5.3.26

php php 5.0.2

php php 5.4.1

php php 5.2.15

php php 5.3.5

php php 5.2.1

php php 5.3.13

php php

php php 5.4.7

php php 5.3.19

php php 5.4.4

php php 5.2.8

redhat enterprise linux 5

Vendor Advisories

Debian CVElist Bug Report Logs: php5: CVE-2013-4248: invalid handling of certs with null bytes
Debian Bug report logs - #719765 php5: CVE-2013-4248: invalid handling of certs with null bytes Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@listsaliothdebianorg>; Source for php5 is src:php5 (PTS, buildd, popcon) Reported by: Henri Salo <henri@nervfi> Date: Thu, 15 Aug 2013 05:06:0 ...
Ubuntu Security Notice: php5 vulnerability
Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet ...
Red Hat: Moderate: php security, bug fix, and enhancement update
Synopsis Moderate: php security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic Updated php packages that fix three security issues, several bugs, and addone enhancement are now available for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update ...
Red Hat: Moderate: php53 security, bug fix and enhancement update
Synopsis Moderate: php53 security, bug fix and enhancement update Type/Severity Security Advisory: Moderate Topic Updated php53 packages that fix multiple security issues, several bugs, andadd one enhancement are now available for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this ...
Debian Security Advisories: DSA-2742-1 php5 -- interpretation conflict
It was discovered that PHP, a general-purpose scripting language commonly used for web application development, did not properly process embedded NUL characters in the subjectAltName extension of X509 certificates Depending on the application and with insufficient CA-level checks, this could be abused for impersonating other users For the oldsta ...
Amazon Linux AMI: ALAS-2013-224
Session fixation vulnerability in the Sessions subsystem in PHP before 552 allows remote attackers to hijack web sessions by specifying a session ID The openssl_x509_parse function in opensslc in the OpenSSL module in PHP before 5418 and 55x before 552 does not properly handle a '\0' character in a domain name in the Subject Alternative ...
Red Hat: CVE-2013-4248
The openssl_x509_parse function in opensslc in the OpenSSL module in PHP before 5418 and 55x before 552 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitim ...

References

CWE-20http://www.php.net/ChangeLog-5.phphttp://www.debian.org/security/2013/dsa-2742http://www.ubuntu.com/usn/USN-1937-1http://secunia.com/advisories/54657http://secunia.com/advisories/54478http://rhn.redhat.com/errata/RHSA-2013-1307.htmlhttp://secunia.com/advisories/55078http://lists.opensuse.org/opensuse-updates/2013-12/msg00125.htmlhttp://lists.opensuse.org/opensuse-updates/2013-12/msg00126.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1615.htmlhttp://www.securitytracker.com/id/1028924http://support.apple.com/kb/HT6150http://secunia.com/advisories/59652http://marc.info/?l=bugtraq&m=141390017113542&w=2http://www.securityfocus.com/bid/61776http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=2874696a5a8d46639d261571f915c493cd875897https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719765https://usn.ubuntu.com/1937-1/https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2013-4248
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
remote code executionCVE-2024-34909CVE-2024-3317SSTICVE-2024-3400CVE-2024-30051wirelessCVE-2024-4622CVE-2024-4908
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook