CVE-2024-47619
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.
Analysis
syslog-ng is an enhanced log daemo. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical Context
This vulnerability is classified under CWE-295. syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue. Affected products include: Oneidentity Syslog-Ng, Debian Debian Linux. Version information: version 4.8.2.
Affected Products
Oneidentity Syslog-Ng, Debian Debian Linux.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today