Vulnerability Name:

CVE-2013-0308 (CCN-82329)

Assigned:2012-12-06
Published:2013-02-20
Updated:2021-01-26
Summary:The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-20
Vulnerability Consequences:Other
References:Source: MISC
Type: UNKNOWN
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586

Source: MITRE
Type: CNA
CVE-2013-0308

Source: CCN
Type: GIT Web site
GIT

Source: APPLE
Type: UNKNOWN
APPLE-SA-2013-09-18-3

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:0380

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:0382

Source: MLIST
Type: UNKNOWN
[ANNOUNCE] 20130220 Git v1.8.1.4

Source: CCN
Type: RHSA-2013-0589
Moderate: git security update

Source: REDHAT
Type: UNKNOWN
RHSA-2013:0589

Source: CCN
Type: SA52361
GIT "git-imap-send" SSL Certificate Verification Security Issue

Source: SECUNIA
Type: Vendor Advisory
52361

Source: SECUNIA
Type: Vendor Advisory
52443

Source: SECUNIA
Type: Vendor Advisory
52467

Source: CCN
Type: SA54887
Apple Xcode GIT "git-imap-send" SSL Certificate Verification Security Issue

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT5937

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: CCN
Type: OSVDB ID: 97429
Apple Xcode imap-send X.509 Certificate Validation MitM Spoofing Weakness

Source: BID
Type: UNKNOWN
58148

Source: CCN
Type: BID-58148
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability

Source: SECTRACK
Type: UNKNOWN
1028205

Source: CCN
Type: Novell Bugzilla Bug 804730 - VUL-1
CVE-2013-0308: git: missing SSL host verification in git-imap-send

Source: MISC
Type: UNKNOWN
https://bugzilla.novell.com/show_bug.cgi?id=804730

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=909977

Source: XF
Type: UNKNOWN
git-gitimapsend-spoofing(82329)

Source: XF
Type: UNKNOWN
git-gitimapsend-spoofing(82329)

Source: CONFIRM
Type: UNKNOWN
https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/a:git-scm:git:*:*:*:*:*:*:*:* (Version <= 1.8.1.3)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:git:git:1.8.1.3:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:6:*:server:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:6:*:workstation:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:26165
    P
    		Security update for libarchive (Moderate)
    2021-11-17
    oval:org.opensuse.security:def:20130308
    V
    		CVE-2013-0308
    2021-08-15
    oval:org.opensuse.security:def:36412
    P
    		git-1.7.12.4-0.9.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:26037
    P
    		Security update for the Linux Kernel (Important)
    2021-01-15
    oval:org.opensuse.security:def:25973
    P
    		Security update for the Linux Kernel (Important)
    2020-12-09
    oval:org.opensuse.security:def:26591
    P
    		libmysqlclient15-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26737
    P
    		libadns1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26303
    P
    		Security update for dnsmasq (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26640
    P
    		sudo on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27375
    P
    		binutils-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26387
    P
    		Security update for ffmpeg (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25961
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:26679
    P
    		cron on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27410
    P
    		git on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26538
    P
    		e2fsprogs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25962
    P
    		Security update for mariadb (Important)
    2020-12-01
    oval:org.opensuse.security:def:26693
    P
    		evolution-data-server on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26246
    P
    		Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.mitre.oval:def:23297
    P
    		ELSA-2013:0589: git security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:21085
    P
    		RHSA-2013:0589: git security update (Moderate)
    2014-02-17
    oval:com.ubuntu.precise:def:20130308000
    V
    		CVE-2013-0308 on Ubuntu 12.04 LTS (precise) - medium.
    2013-03-08
    oval:com.redhat.rhsa:def:20130589
    P
    		RHSA-2013:0589: git security update (Moderate)
    2013-03-04
    BACK
    git-scm git *
    git git 1.8.1.3
    redhat enterprise linux 6
    redhat enterprise linux 6
    redhat enterprise linux desktop 6
    redhat enterprise linux hpc node 6