Fluid Attacks Database

Description

Name confusion in x509 Subject Alternative Name fields In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpseclib/phpseclib	>=0 <1.0.22 \|\| >=2.0.0 <2.0.46 \|\| >=3.0.0 <3.0.33	1.0.22, 2.0.46, 3.0.33
debian 11	php-phpseclib	=2.0.30-2 \|\| =2.0.30-2+deb11u1 \|\| =2.0.30-2+deb11u2 \|\| =2.0.31-1 \|\| =2.0.32-1 \|\| =2.0.33-1 \|\| =2.0.34-1 \|\| =2.0.35-1 \|\| =2.0.36-1 \|\| =2.0.37-1 \|\| =2.0.38-1 \|\| =2.0.38-2 \|\| =2.0.38-3 \|\| =2.0.38-4 \|\| =2.0.39-1 \|\| =2.0.40-1 \|\| =2.0.41-1 \|\| =2.0.42-1 \|\| =2.0.44-1 \|\| =2.0.45-1 \|\| =2.0.46-1 \|\| =2.0.47-1 \|\| =2.0.47-2 \|\| =2.0.47-3 \|\| =2.0.48-1 \|\| =2.0.48-2 \|\| =2.0.48-3 \|\| =2.0.49-1 \|\| =2.0.50-1 \|\| =2.0.51-1 \|\| =2.0.52-1 \|\| =2.0.53-1 \|\| =2.0.54-1 \|\| =3.0.2-1	-
debian 12	php-phpseclib	=2.0.42-1 \|\| =2.0.42-1+deb12u1 \|\| =2.0.42-1+deb12u2 \|\| >=0 <2.0.42-1+deb12u3	2.0.42-1+deb12u3
debian 13	php-phpseclib	>=0 <2.0.46-1	2.0.46-1
debian 12	php-phpseclib3	=3.0.19-1 \|\| =3.0.19-1+deb12u1 \|\| =3.0.19-1+deb12u2 \|\| =3.0.19-1+deb12u3 \|\| >=0 <3.0.19-1+deb12u4	3.0.19-1+deb12u4
debian 13	php-phpseclib3	>=0 <3.0.33-1	3.0.33-1
debian 11	phpseclib	=1.0.19-3 \|\| =1.0.19-3+deb11u1 \|\| =1.0.19-3+deb11u2 \|\| >=0 <1.0.19-3+deb11u3	1.0.19-3+deb11u3
debian 12	phpseclib	=1.0.20-1 \|\| =1.0.20-1+deb12u1 \|\| =1.0.20-1+deb12u2 \|\| >=0 <1.0.20-1+deb12u3	1.0.20-1+deb12u3
debian 13	phpseclib	>=0 <1.0.22-1	1.0.22-1
debian 14	php-phpseclib3	>=0 <3.0.33-1	3.0.33-1

1-10 of 11

Aliases

1. CVE-2023-528922. NVD-2023-528923. OSV-2023-528924. OSV-DEBIAN-2023-528925. GCVE-2023-528926. SECURITY-TRACKER-CVE-2023-52892

References

1. https://github.com/phpseclib/phpseclib/issues/19432. https://github.com/phpseclib/phpseclib/commit/6cd6e8ceab9f2b55c8cd81d2192bf98cbeaf46273. https://github.com/phpseclib/phpseclib/releases/tag/3.0.334. https://github.com/x509-name-testing/name_testing_artifacts

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.