[Forgot Password]
Login  Register Subscribe

24003

 
 

131573

 
 

108530

 
 

909

 
 

85343

 
 

134

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2009-2408Date: (C)2009-07-30   (M)2018-06-11


Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : CVSS Score : 6.8
Exploit Score: Exploit Score: 8.6
Impact Score: Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: Access Vector: NETWORK
Attack Complexity: Access Complexity: MEDIUM
Privileges Required: Authentication: NONE
User Interaction: Confidentiality: PARTIAL
Scope: Integrity: PARTIAL
Confidentiality: Availability: PARTIAL
Integrity:  
Availability:  
  
Reference:
SUNALERT-1021030
SECTRACK-1022632
SECUNIA-36088
SECUNIA-36125
SECUNIA-36139
SECUNIA-36157
SECUNIA-36434
SECUNIA-36669
SECUNIA-37098
OSVDB-56723
ADV-2009-2085
ADV-2009-3184
DSA-1874
MDVSA-2009:197
MDVSA-2009:216
MDVSA-2009:217
RHSA-2009:1207
RHSA-2009:1432
SUSE-SA:2009:048
SUSE-SR:2009:018
USN-810-1
USN-810-2
http://marc.info/?l=oss-security&m=125198917018936&w=2
http://isc.sans.org/diary.html?storyid=7003
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=h
http://www.wired.com/threatlevel/2009/07/kaminsky/
https://bugzilla.redhat.com/show_bug.cgi?id=510251

CPE    143
cpe:/a:mozilla:seamonkey:1.1:beta
cpe:/a:mozilla:seamonkey:1.1:alpha
cpe:/a:mozilla:seamonkey:1.0:alpha
cpe:/a:mozilla:thunderbird:2.0.0.22
...
CWE    1
CWE-20
OVAL    25
oval:org.secpod.oval:def:500590
oval:org.secpod.oval:def:500609
oval:org.secpod.oval:def:600141
oval:org.mitre.oval:def:8111
...

© SecPod Technologies