CVE-2024-47619
HIGHsyslog-ng < 4.8.2 - Improper Certificate Validation in TLS Wildcard Matching
Title source: llmDescription
syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00034.html
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/syslog-ng/syslog-ng/security/advisories/GHSA-xr54-gx74-fghg
Patch x_refsource_misc
https://github.com/syslog-ng/syslog-ng/commit/dadfdbecde5bfe710b0a6ee5699f96926b3f9006
Product x_refsource_misc
https://github.com/syslog-ng/syslog-ng/blob/b0ccc8952d333fbc2d97e51fddc0b569a15e7a7d/lib/transport/tls-verifier.c#L78-L110
Release Notes x_refsource_misc
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2
Scores
CVSS v3
7.5
EPSS
0.0029
EPSS Percentile
20.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (2)
debian/debian_linux
11.0
oneidentity/syslog-ng
< 4.8.2
Published
May 07, 2025
Tracked Since
Feb 18, 2026