Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2009-2408

CVSSv4: NA | CVSSv3: 5.9 | CVSSv2: 6.8 | VMScore: 690 | EPSS: 0.00219 | KEV: Not Included
Published: 30/07/2009 Updated: 21/11/2024

Vulnerability Summary

SSL Spoofing Vulnerability in Mozilla Products via Malformed Certificates

Moz Network Security Services (NSS) versions before 3.12.3, Firefox versions before 3.0.13, Thunderbird versions before 2.0.0.23, and SeaMonkey versions before 1.1.18 have a flaw. They mishandle the '\0' character in a domain name in the Common Name field of an X.509 certificate. This flaw can let man-in-the-middle attackers fake SSL servers using a crafted certificate from a real Certification Authority. Note: this issue was first reported for Firefox versions before 3.5.

Vulnerable Product Search on Vulmon Subscribe to Product

mozilla firefox

mozilla network security services

mozilla seamonkey

mozilla thunderbird

opensuse opensuse

suse linux enterprise 10.0

suse linux enterprise 11.0

suse linux enterprise server 9

debian debian linux 5.0

canonical ubuntu linux 8.04

canonical ubuntu linux 8.10

canonical ubuntu linux 9.04

Vendor Advisories

Red Hat: Critical: nspr and nss security, bug fix, and enhancement update
Synopsis Critical: nspr and nss security, bug fix, and enhancement update Type/Severity Security Advisory: Critical Topic Updated nspr and nss packages that fix security issues, bugs, and add anenhancement are now available for Red Hat Enterprise Linux 5This update has been rated as having critical securit ...
Red Hat: Critical: nspr and nss security and bug fix update
Synopsis Critical: nspr and nss security and bug fix update Type/Severity Security Advisory: Critical Topic Updated nspr and nss packages that fix security issues and bugs are nowavailable for Red Hat Enterprise Linux 47 Extended Update SupportThis update has been rated as having critical security impact ...
Red Hat: Critical: nspr and nss security and bug fix update
Synopsis Critical: nspr and nss security and bug fix update Type/Severity Security Advisory: Critical Topic Updated nspr and nss packages that fix security issues and a bug are nowavailable for Red Hat Enterprise Linux 4This update has been rated as having critical security impact by the RedHat Security Re ...
Debian Security Advisories: DSA-1874-1 nss -- several vulnerabilities
Several vulnerabilities have been discovered in the Network Security Service libraries The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2404 Moxie Marlinspike discovered that a buffer overflow in the regular expression parser could lead to the execution of arbitrary code CVE-2009-2408 Dan Kami ...
Debian Security Advisories: DSA-2025-1 icedove -- several vulnerabilities
Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2408 Dan Kaminsky and Moxie Marlinspike discovered that icedove does not properly handle a '\0' character in a domain name ...
Ubuntu Security Notice: nss vulnerabilities
Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program (CVE-2009-2404) ...
Ubuntu Security Notice: nspr update
USN-810-1 fixed vulnerabilities in NSS This update provides the NSPR needed to use the new NSS ...
Ubuntu Security Notice: nss regression
USN-810-1 fixed vulnerabilities in NSS Jozsef Kadlecsik noticed that the new libraries on amd64 did not correctly set stack memory flags, and caused applications using NSS (eg Firefox) to have an executable stack This reduced the effectiveness of some defensive security protections This update fixes the problem ...
Debian CVElist Bug Report Logs: CVE-2009-2408, CVE-2009-2404, NSS multiple vulnerabilities
Debian Bug report logs - #539934 CVE-2009-2408, CVE-2009-2404, NSS multiple vulnerabilities Package: nss; Maintainer for nss is Maintainers of Mozilla-related packages <team+pkg-mozilla@trackerdebianorg>; Reported by: Giuseppe Iuculano <giuseppe@iuculanoit> Date: Tue, 4 Aug 2009 15:03:02 UTC Severity: serious Tag ...
Debian CVElist Bug Report Logs: CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name
Debian Bug report logs - #553432 CVE-2009-3767: Doesn't properly handle NULL character in subject Common Name Package: openldap; Maintainer for openldap is Debian OpenLDAP Maintainers <pkg-openldap-devel@listsaliothdebianorg>; Reported by: Giuseppe Iuculano <iuculano@debianorg> Date: Sat, 31 Oct 2009 10:00:01 UTC ...
Debian CVElist Bug Report Logs: CVE-2009-4565: does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate
Debian Bug report logs - #564581 CVE-2009-4565: does not properly handle a '\0' character in a Common Name (CN) field of an X509 certificate Package: sendmail; Maintainer for sendmail is Debian QA Group <packages@qadebianorg>; Source for sendmail is src:sendmail (PTS, buildd, popcon) Reported by: Giuseppe Iuculano <iuc ...
Debian CVElist Bug Report Logs: CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate
Debian Bug report logs - #549293 CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X509 certificate Package: wget; Maintainer for wget is Noël Köthe <noel@debianorg>; Source for wget is src:wget (PTS, buildd, popcon) Reported by: Giuseppe Iuculano <giuseppe@iucula ...
Debian CVElist Bug Report Logs: CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields
Debian Bug report logs - #542926 CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields Packages: neon27, neon, neon26; Maintainer for neon27 is Laszlo Boszormenyi (GCS) <gcs@debianorg>; Maintainer for neon is (unknown); Maintainer for neon26 is (unknown); Reported by: Giuseppe Iucu ...
Debian CVElist Bug Report Logs: CVE-2009-2700: QSslCertificate incorrect verification of SSL certificate with NUL in subjectAltName
Debian Bug report logs - #545793 CVE-2009-2700: QSslCertificate incorrect verification of SSL certificate with NUL in subjectAltName Package: qt4-x11; Maintainer for qt4-x11 is Debian Qt/KDE Maintainers <debian-qt-kde@listsdebianorg>; Reported by: Giuseppe Iuculano <giuseppe@iuculanoit> Date: Wed, 9 Sep 2009 08:00 ...
Debian CVElist Bug Report Logs: CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability
Debian Bug report logs - #546212 CVE-2009-2702: KDE KSSL NULL Character Certificate Spoofing Vulnerability Package: kdelibs; Maintainer for kdelibs is (unknown); Reported by: Giuseppe Iuculano <giuseppe@iuculanoit> Date: Fri, 11 Sep 2009 17:42:02 UTC Severity: serious Tags: security Fixed in versions kdelibs/4:3510dfs ...
Mozilla: Compromise of SSL-protected communication
Mozilla Foundation Security Advisory 2009-42 Compromise of SSL-protected communication Announced August 1, 2009 Reporter Dan Kaminsky Impact Critical Products Firefox, NSS, SeaMonkey, Thunderbird Fixed in ...

References

CWE-295https://access.redhat.com/errata/RHSA-2009:1186https://nvd.nist.govhttps://usn.ubuntu.com/810-1/https://www.first.org/epsshttp://isc.sans.org/diary.html?storyid=7003http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://marc.info/?l=oss-security&m=125198917018936&w=2http://osvdb.org/56723http://secunia.com/advisories/36088http://secunia.com/advisories/36125http://secunia.com/advisories/36139http://secunia.com/advisories/36157http://secunia.com/advisories/36434http://secunia.com/advisories/36669http://secunia.com/advisories/37098http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1http://www.debian.org/security/2009/dsa-1874http://www.mandriva.com/security/advisories?name=MDVSA-2009:197http://www.mandriva.com/security/advisories?name=MDVSA-2009:216http://www.mandriva.com/security/advisories?name=MDVSA-2009:217http://www.mozilla.org/security/announce/2009/mfsa2009-42.htmlhttp://www.novell.com/linux/security/advisories/2009_48_firefox.htmlhttp://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=hhttp://www.redhat.com/support/errata/RHSA-2009-1207.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1432.htmlhttp://www.securitytracker.com/id?1022632http://www.ubuntu.com/usn/usn-810-1http://www.vupen.com/english/advisories/2009/2085http://www.vupen.com/english/advisories/2009/3184http://www.wired.com/threatlevel/2009/07/kaminsky/https://bugzilla.redhat.com/show_bug.cgi?id=510251https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10751https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8458https://usn.ubuntu.com/810-2/http://isc.sans.org/diary.html?storyid=7003http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://marc.info/?l=oss-security&m=125198917018936&w=2http://osvdb.org/56723http://secunia.com/advisories/36088http://secunia.com/advisories/36125http://secunia.com/advisories/36139http://secunia.com/advisories/36157http://secunia.com/advisories/36434http://secunia.com/advisories/36669http://secunia.com/advisories/37098http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021030.1-1http://www.debian.org/security/2009/dsa-1874http://www.mandriva.com/security/advisories?name=MDVSA-2009:197http://www.mandriva.com/security/advisories?name=MDVSA-2009:216http://www.mandriva.com/security/advisories?name=MDVSA-2009:217http://www.mozilla.org/security/announce/2009/mfsa2009-42.htmlhttp://www.novell.com/linux/security/advisories/2009_48_firefox.htmlhttp://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/tls_m.c.diff?r1=1.8&r2=1.11&f=hhttp://www.redhat.com/support/errata/RHSA-2009-1207.htmlhttp://www.redhat.com/support/errata/RHSA-2009-1432.htmlhttp://www.securitytracker.com/id?1022632http://www.ubuntu.com/usn/usn-810-1http://www.vupen.com/english/advisories/2009/2085http://www.vupen.com/english/advisories/2009/3184http://www.wired.com/threatlevel/2009/07/kaminsky/https://bugzilla.redhat.com/show_bug.cgi?id=510251https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10751https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8458https://usn.ubuntu.com/810-2/
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
CVE-2025-25292uxperCVE-2024-13771CVE-2025-2267hiddenpearlsstored XSStj-actionscamaleon-cmsCVE-2023-33300CVE-2025-24201spoofCVE-2025-2103buffer overflow
Home
/
Search Results
/
CVE-2009-2408
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook