Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
tranport: TLS host name wildcard matching too lax
Vulnerability Description
syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Vulnerability Type
证书验证不恰当
Vulnerability Title
syslog-ng 安全漏洞
Vulnerability Description
syslog-ng是syslog-ng team团队的一个增强的日志守护程序。支持广泛的输入和输出方法:syslog、非结构化文本、队列、SQL 和 NoSQL。 syslog-ng 4.8.2之前版本存在安全漏洞,该漏洞源于tls_wildcard_match函数允许匹配无效证书模式,可能导致中间人攻击。
CVSS Information
N/A
Vulnerability Type
N/A