Vulnerability CVE-2013-2191

Vulnerability Name:

CVE-2013-2191 (CCN-85129)

Assigned:

2013-06-19

Published:

2013-06-19

Updated:

2018-10-30

Summary:

python-bugzilla before 0.9.0 does not validate X.509 certificates, which allows man-in-the-middle attackers to spoof Bugzilla servers via a crafted certificate.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Other

References:

Source: MITRE
Type: CNA
CVE-2013-2191

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1154

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1155

Source: CCN
Type: SA53849
python-bugzilla Server Certificate Verification Spoofing Security Issue

Source: CCN
Type: oss-sec mailing list, Wed, 19 Jun 2013 12:58:40 -0400 (EDT)
CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate

Source: MLIST
Type: UNKNOWN
[oss-security] 20130619 [CVE identifier assignment notification] CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate

Source: CCN
Type: BID-60687
python-bugzilla CVE-2013-2191 SSL Certificate Validation Security Bypass Vulnerability

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=951594

Source: CCN
Type: Red Hat Bugzilla Bug 975962
CVE-2013-2191 python-bugzilla: Does not verify Bugzilla server certificate

Source: XF
Type: UNKNOWN
pythonbugzilla-cve20132191-spoofing(85129)

Source: CONFIRM
Type: Patch
https://git.fedorahosted.org/cgit/python-bugzilla.git/commit/?id=a782282ee479ba4cc1b8b1d89700ac630ba83eef

Source: CCN
Type: python-bugzilla mailing list, Wed Jun 19 18:12:33 UTC 2013
python-bugzilla

Source: MLIST
Type: UNKNOWN
[python-bugzilla] 20130619 ANNOUNCE: python-bugzilla 0.9.0 released

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-2191

Vulnerable Configuration:

Configuration 1:

cpe:/a:python_bugzilla_project:python-bugzilla:0.6.0:*:*:*:*:*:*:*

OR cpe:/a:python_bugzilla_project:python-bugzilla:0.6.1:*:*:*:*:*:*:*

OR cpe:/a:python_bugzilla_project:python-bugzilla:0.6.2:*:*:*:*:*:*:*

OR cpe:/a:python_bugzilla_project:python-bugzilla:0.7.0:*:*:*:*:*:*:*

OR cpe:/a:python_bugzilla_project:python-bugzilla:*:*:*:*:*:*:*:* (Version <= 0.8.0)

Configuration 2:

cpe:/o:fedoraproject:fedora:17:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:18:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:python_bugzilla_project:python-bugzilla:0.8.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20132191	V	CVE-2013-2191	2022-06-30
oval:org.opensuse.security:def:113257	P	python36-bugzilla-3.0.2-1.6 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113200	P	python-bugzilla-1.2.2-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106620	P	python-bugzilla-1.2.2-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:106669	P	python36-bugzilla-3.0.2-1.6 on GA media (Moderate)	2021-10-01

BACK