Published: 21/08/2009 Updated: 22/05/2020

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

neon prior to 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle malicious users to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Vulnerable Product	Search on Vulmon	Subscribe to Product
webdav neon
apple mac os x
canonical ubuntu linux 6.06
canonical ubuntu linux 8.04
canonical ubuntu linux 8.10
canonical ubuntu linux 9.04
fedoraproject fedora 10
fedoraproject fedora 11

Joe Orton discovered that neon did not correctly handle SSL certificates with zero bytes in the Common Name A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications ...

Debian Bug report logs - #542926 CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields Packages: neon27, neon, neon26; Maintainer for neon27 is Laszlo Boszormenyi (GCS) <gcs@debianorg>; Maintainer for neon is (unknown); Maintainer for neon26 is (unknown); Reported by: Giuseppe Iucu ...

CWE-326 https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html http://secunia.com/advisories/36371 http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html http://www.vupen.com/english/advisories/2009/2341 http://www.mandriva.com/security/advisories?name=MDVSA-2009:221 http://www.securityfocus.com/bid/36079 http://www.ubuntu.com/usn/usn-835-1 http://secunia.com/advisories/36799 http://support.apple.com/kb/HT4435 http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11721 https://usn.ubuntu.com/835-1/https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2009-2474

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect