CVE-2013-0308: Input Validation
First published: Mon Feb 11 2013(Updated: )
A security flaw was found in the way git-imap-send command (tool to send a collection of patches from stdin to an IMAP folder) of Git performed IMAP server's SSL x509.v3 certificate validation (server's hostname was previously not verified to match the CN field of the particular certificate). A rogue server could use this flaw to conduct man-in-the-middle (MiTM) attacks, possibly leading to disclosure of sensitive information. References: [1] <a href="https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html">https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html</a> [2] <a href="https://github.com/git/git/blob/master/imap-send.c#L233">https://github.com/git/git/blob/master/imap-send.c#L233</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Git Git-shell | <=1.8.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.kernel.org/pub/software/scm/git/docs/git-imap-send.html
- https://github.com/git/git/blob/master/imap-send.c#L233
- https://access.redhat.com/security/cve/CVE-2013-0308
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699610&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699610&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699611&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699611&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699612&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=699612&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=700017&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=700017&action=edit
- https://raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt
- http://marc.info/?l=git&m=136134619013145&w=2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=913593
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=913595
- https://rhn.redhat.com/errata/RHSA-2013-0589.html
- https://bugzilla.redhat.com/show_bug.cgi?id=909977
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00007.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00005.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00007.html
- http://rhn.redhat.com/errata/RHSA-2013-0589.html
- http://secunia.com/advisories/52361
- http://secunia.com/advisories/52443
- http://secunia.com/advisories/52467
- http://support.apple.com/kb/HT5937
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.securityfocus.com/bid/58148
- http://www.securitytracker.com/id/1028205
- https://bugzilla.novell.com/show_bug.cgi?id=804730
- https://exchange.xforce.ibmcloud.com/vulnerabilities/82329
Frequently Asked Questions
What is the severity of CVE-2013-0308?
CVE-2013-0308 has a medium severity rating due to the potential for man-in-the-middle attacks.
How do I fix CVE-2013-0308?
To fix CVE-2013-0308, upgrade to Git version 1.8.2 or later, where the issue has been resolved.
What systems are affected by CVE-2013-0308?
CVE-2013-0308 affects Git versions up to and including 1.8.1.3.
What does CVE-2013-0308 affect in Git?
CVE-2013-0308 affects the git-imap-send command's ability to properly validate SSL x509.v3 certificates.
Is there a workaround for CVE-2013-0308?
While the best solution is to upgrade, users can avoid the issue by using alternative methods for sending patches until an upgrade is feasible.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/author
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-0308
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/git-scm
- canonical/git git-shell
- version/git git-shell/1.8.1.3