6.1 Medium
AI Score
Confidence
Low
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
67.8%
The imap-send command in GIT before 1.8.1.4 does not verify that the server hostname matches a domain name in the subjectβs Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CPE | Name | Operator | Version |
---|---|---|---|
git-scm:git | git-scm git | le | 1.8.1.3 |
bugs.debian.org/cgi-bin/bugreport.cgi?bug=701586
lists.apple.com/archives/security-announce/2013/Sep/msg00007.html
lists.opensuse.org/opensuse-updates/2013-03/msg00005.html
lists.opensuse.org/opensuse-updates/2013-03/msg00007.html
marc.info/?l=git&m=136134619013145&w=2
rhn.redhat.com/errata/RHSA-2013-0589.html
secunia.com/advisories/52361
secunia.com/advisories/52443
secunia.com/advisories/52467
support.apple.com/kb/HT5937
www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
www.securityfocus.com/bid/58148
www.securitytracker.com/id/1028205
bugzilla.novell.com/show_bug.cgi?id=804730
bugzilla.redhat.com/show_bug.cgi?id=909977
exchange.xforce.ibmcloud.com/vulnerabilities/82329
raw.github.com/git/git/master/Documentation/RelNotes/1.8.1.4.txt