CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
52.8%
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and
3.x before 3.3.3 does not properly handle wildcards in hostnames, which
might allow man-in-the-middle attackers to spoof servers via a crafted
certificate.
Author | Note |
---|---|
tyhicks | This CVE is specifically for the multiple wildcards issue and not the change in behavior from RFC 2818 to RFC 6125 Note that revision 10d0edadbcdd changes the behavior over to RFC 6125 which may cause compatibability issues in old releases |
mdeslaur | since this introduces a behaviour change, we will not be fixing this in stable releases. |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
52.8%