{"id":"CVE-2024-47619","summary":"tranport: TLS host name wildcard matching too lax","details":"syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.","aliases":["GHSA-xr54-gx74-fghg"],"modified":"2026-04-10T05:17:25.525104Z","published":"2025-05-07T15:12:02.118Z","related":["openSUSE-SU-2025:15070-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47619.json","cwe_ids":["CWE-295"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/syslog-ng/syslog-ng/blob/b0ccc8952d333fbc2d97e51fddc0b569a15e7a7d/lib/transport/tls-verifier.c#L78-L110"},{"type":"WEB","url":"https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00034.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47619.json"},{"type":"ADVISORY","url":"https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47619"},{"type":"FIX","url":"https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/syslog-ng/syslog-ng","events":[{"introduced":"0"},{"fixed":"642d8ac7e3eda945edaa0a771f3d86a7d68832f9"}]}],"versions":["pe-5.0-base","syslog-ng-3.10.1","syslog-ng-3.11.1","syslog-ng-3.12.1","syslog-ng-3.13.1","syslog-ng-3.13.2","syslog-ng-3.14.1","syslog-ng-3.15.1","syslog-ng-3.16.1","syslog-ng-3.17.1","syslog-ng-3.17.2","syslog-ng-3.18.1","syslog-ng-3.19.1","syslog-ng-3.20.1","syslog-ng-3.21.1","syslog-ng-3.22.1","syslog-ng-3.23.1","syslog-ng-3.24.1","syslog-ng-3.25.1","syslog-ng-3.26.1","syslog-ng-3.27.1","syslog-ng-3.28.1","syslog-ng-3.29.1","syslog-ng-3.30.1","syslog-ng-3.31.1","syslog-ng-3.31.2","syslog-ng-3.32.1","syslog-ng-3.33.1","syslog-ng-3.33.2","syslog-ng-3.34.1","syslog-ng-3.35.1","syslog-ng-3.36.1","syslog-ng-3.37.1","syslog-ng-3.38.1","syslog-ng-3.6.0alpha1","syslog-ng-3.6.0alpha2","syslog-ng-3.6.0alpha3","syslog-ng-3.6.0beta1","syslog-ng-3.6.0beta2","syslog-ng-3.6.0rc1","syslog-ng-3.6.0rc2","syslog-ng-3.6.1","syslog-ng-3.7.0alpha1","syslog-ng-3.7.0alpha2","syslog-ng-3.7.0beta1","syslog-ng-3.7.0beta2","syslog-ng-3.7.1","syslog-ng-3.7.2","syslog-ng-3.8.0beta1","syslog-ng-3.8.0beta2","syslog-ng-3.8.1","syslog-ng-3.9.1","syslog-ng-4.0.0","syslog-ng-4.0.1","syslog-ng-4.1.0","syslog-ng-4.1.1","syslog-ng-4.2.0","syslog-ng-4.3.0","syslog-ng-4.3.1","syslog-ng-4.4.0","syslog-ng-4.5.0","syslog-ng-4.6.0","syslog-ng-4.7.0","syslog-ng-4.7.1","syslog-ng-4.8.0","syslog-ng-4.8.1","v2.1.1","v2.1alpha1","v2.1beta1","v2.1beta2","v3.0.1","v3.0.2","v3.1.0","v3.1beta1","v3.1beta2","v3.2alpha1","v3.2beta1","v3.3.0alpha1","v3.3.0alpha2","v3.4.0alpha1","v3.4.0alpha2","v3.4.0alpha3","v3.4.0beta1","v3.4.0rc1","v3.4.0rc2","v3.5.0_rc1","v3.5.0beta1","v3.5.0beta2","v3.5.0beta3","v3.5.0rc1","v3.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47619.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}