Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mZjdxLTZ2d2gtdjltNM4AA9aG

Name confusion in x509 Subject Alternative Name fields

In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.

Permalink: https://github.com/advisories/GHSA-ff7q-6vwh-v9m4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mZjdxLTZ2d2gtdjltNM4AA9aG
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 17 days ago
Updated: 16 days ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-ff7q-6vwh-v9m4, CVE-2023-52892
References: Repository: https://github.com/phpseclib/phpseclib
Blast Radius: 35.2

Affected Packages

packagist:phpseclib/phpseclib
Dependent packages: 1,138
Dependent repositories: 49,762
Downloads: 287,429,283 total
Affected Version Ranges: >= 3.0.0, < 3.0.33, >= 2.0.0, < 2.0.46, < 1.0.22
Fixed in: 3.0.33, 2.0.46, 1.0.22
All affected versions: 0.3.0, 0.3.1, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37, 2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23
All unaffected versions: 1.0.22, 1.0.23, 2.0.46, 2.0.47, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39