| Vulnerability Name: | CVE-2013-2100 (CCN-84315) | ||||||||
| Assigned: | 2013-05-15 | ||||||||
| Published: | 2013-05-15 | ||||||||
| Updated: | 2017-08-29 | ||||||||
| Summary: | The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C) 6.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-310 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2013-2100 Source: MLIST Type: Exploit [oss-security] 20130515 CVE Request: Man in the middle on Gentoo Portage binary package installer Source: CCN Type: oss-sec mailing list, Wed, 15 May 2013 19:45:39 -0600 Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Source: MLIST Type: UNKNOWN [oss-security] 20130515 Re: CVE Request: Man in the middle on Gentoo Portage binary package installer Source: CCN Type: Gentoo Web site Gentoo Linux Source: BID Type: UNKNOWN 59878 Source: CCN Type: BID-59878 Portage 'urlopen()' SSL Certificate Validation Security Bypass Vulnerability Source: CONFIRM Type: Patch https://bugs.gentoo.org/show_bug.cgi?id=469888 Source: XF Type: UNKNOWN portage-cve20132100-sec-bypass(84315) Source: XF Type: UNKNOWN portage-cve20132100-sec-bypass(84315) Source: GENTOO Type: UNKNOWN GLSA-201507-16 Source: CCN Type: WhiteSource Vulnerability Database CVE-2013-2100 | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||