Vulnerability Description
In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phpseclib | Phpseclib | >= 1.0.0, < 1.0.22 |
Related Weaknesses (CWE)
References
- https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbePatch
- https://github.com/phpseclib/phpseclib/issues/1943ExploitIssue Tracking
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.33Release Notes
- https://github.com/x509-name-testing/name_testing_artifactsNot Applicable
- https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbePatch
- https://github.com/phpseclib/phpseclib/issues/1943ExploitIssue Tracking
- https://github.com/phpseclib/phpseclib/releases/tag/3.0.33Release Notes
- https://github.com/x509-name-testing/name_testing_artifactsNot Applicable
FAQ
What is CVE-2023-52892?
CVE-2023-52892 is a vulnerability with a CVSS score of 7.5 (HIGH). In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regula...
How severe is CVE-2023-52892?
CVE-2023-52892 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-52892?
Check the references section above for vendor advisories and patch information. Affected products include: Phpseclib Phpseclib.