GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
BID:58148
Info
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
| Bugtraq ID: | 58148 |
| Class: | Design Error |
| CVE: |
CVE-2013-0308 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 24 2013 12:00AM |
| Updated: | Apr 13 2015 09:19PM |
| Credit: | Salvatore Bonaccorso |
| Vulnerable: |
S.u.S.E. openSUSE 12.1 S.u.S.E. openSUSE 11.4 Redhat Enterprise Linux Workstation Optional 6 Redhat Enterprise Linux Workstation 6 Redhat Enterprise Linux Server Optional 6 Redhat Enterprise Linux Server 6 Redhat Enterprise Linux HPC Node Optional 6 Redhat Enterprise Linux Desktop Optional 6 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 openSUSE openSUSE 12.2 GIT GIT 1.7.2 GIT GIT 1.5.6 GIT GIT 1.5.5 GIT GIT 1.8.1.3 GIT GIT 1.7.3.4 GIT GIT 1.7.3.3 CentOS CentOS 6 Apple Xcode 2.4.1 Apple Xcode 4.4 Apple Xcode 4.3 Apple Xcode 3.1 Apple Xcode 3.0 Apple Xcode 2.3 Apple Xcode 2.2 Apple Xcode 2.1 Apple Xcode 2.0 |
| Not Vulnerable: |
GIT GIT 1.8.1.4 Apple Xcode 5.0 |
Discussion
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
GIT is prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
Attackers can exploit this issue to spoof a valid server and conduct man-in-the-middle attacks. Successful exploits will cause victims to accept the certificates assuming they are from a legitimate site.
Versions prior to GIT 1.8.1.4 are vulnerable.
GIT is prone to a security vulnerability that may allow attackers to conduct spoofing attacks.
Attackers can exploit this issue to spoof a valid server and conduct man-in-the-middle attacks. Successful exploits will cause victims to accept the certificates assuming they are from a legitimate site.
Versions prior to GIT 1.8.1.4 are vulnerable.
Exploit / POC
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
Attackers can use readily available tools to exploit this issue.
Attackers can use readily available tools to exploit this issue.
Solution / Fix
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
GIT 'git-imap-send' Command SSL Certificate Validation Spoofing Vulnerability
References:
References:
- APPLE-SA-2013-09-18-3 Xcode 5.0 (Apple)
- Bug 804730 - VUL-1: CVE-2013-0308: git: missing SSL host verification in git-ima (Bugzilla)
- GIT Homepage (GIT)
- git: CVE-2013-0308: Incorrect IMAP server's SSL x509.v3 certificate validation (Salvatore Bonaccorso)
- openSUSE-SU-2013:0380-1: moderate: git: check SSL certificates during imap-send (OpenSUSE)
- openSUSE-SU-2013:0382-1: moderate: git: check SSL certificates during imap-send (OpenSUSE)