GHSA-ff7q-6vwh-v9m4

Suggest an improvement
Source
https://github.com/advisories/GHSA-ff7q-6vwh-v9m4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-ff7q-6vwh-v9m4/GHSA-ff7q-6vwh-v9m4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-ff7q-6vwh-v9m4
Aliases
Published
2024-06-28T00:33:31Z
Modified
2024-06-28T19:13:28.214814Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Name confusion in x509 Subject Alternative Name fields
Details

In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.

Database specific
{
    "nvd_published_at": "2024-06-27T22:15:10Z",
    "cwe_ids": [
        "CWE-436"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-28T18:57:31Z"
}
References

Affected packages

Packagist / phpseclib/phpseclib

Package

Name
phpseclib/phpseclib
Purl
pkg:composer/phpseclib/phpseclib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.22

Affected versions

0.*

0.3.0
0.3.1
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21

Packagist / phpseclib/phpseclib

Package

Name
phpseclib/phpseclib
Purl
pkg:composer/phpseclib/phpseclib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.46

Affected versions

2.*

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45

Packagist / phpseclib/phpseclib

Package

Name
phpseclib/phpseclib
Purl
pkg:composer/phpseclib/phpseclib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.33

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.0.19
3.0.20
3.0.21
3.0.22
3.0.23