.. _ssl-match_hostname-wildcard-dos:

ssl.match_hostname() wildcard DoS
=================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-2099>`_.

If the name in the certificate contains many ``*`` characters (wildcard),
matching the compiled regular expression against the host name can take a
very long time.

Certificate validation happens before host name checking, so I think this
is a minor issue only because it can only be triggered in cooperation with
a CA (which seems unlikely).

Dates:

* Disclosure date: **2013-05-15** (Python issue bpo-17980 reported)

Fixed In
--------

* Python **3.2.6** (2014-10-12) fixed by `commit 86d53ca (branch 3.2) <https://github.com/python/cpython/commit/86d53caddad11808ca332ab93ec35508b602a0dd>`_ (2013-05-18)
* Python **3.3.3** (2013-11-17) fixed by `commit 86d53ca (branch 3.2) <https://github.com/python/cpython/commit/86d53caddad11808ca332ab93ec35508b602a0dd>`_ (2013-05-18)
* Python **3.4.0** (2014-03-16) fixed by `commit 86d53ca (branch 3.2) <https://github.com/python/cpython/commit/86d53caddad11808ca332ab93ec35508b602a0dd>`_ (2013-05-18)

Python issue
------------

CVE-2013-2099 ssl.match_hostname() trips over crafted	wildcard names.

* Python issue: `bpo-17980 <https://bugs.python.org/issue17980>`_
* Creation date: 2013-05-15
* Reporter: Florian Weimer

CVE-2013-2099
-------------

Algorithmic complexity vulnerability in the ssl.match_hostname function in Python 3.2.x, 3.3.x, and earlier, and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

* CVE ID: `CVE-2013-2099 <https://nvd.nist.gov/vuln/detail/CVE-2013-2099/>`_
* Published: 2013-10-09
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 4.3

Timeline
--------

Timeline using the disclosure date **2013-05-15** as reference:

* 2013-05-15: `Python issue bpo-17980 <https://bugs.python.org/issue17980>`_ reported by Florian Weimer
* 2013-05-18 (**+3 days**): `commit 86d53ca (branch 3.2) <https://github.com/python/cpython/commit/86d53caddad11808ca332ab93ec35508b602a0dd>`_
* 2013-10-09 (**+147 days**): CVE-2013-2099 published
* 2013-11-17 (**+186 days**): Python 3.3.3 released
* 2014-03-16: Python 3.4.0 released
* 2014-10-12 (**+515 days**): Python 3.2.6 released