Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.8
CVSSv2

CVE-2009-2474

Published: 21/08/2009 Updated: 22/05/2020
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Subscribe to Neon

Vulnerability Summary

neon prior to 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle malicious users to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

webdav neon

apple mac os x

canonical ubuntu linux 6.06

canonical ubuntu linux 8.04

canonical ubuntu linux 8.10

canonical ubuntu linux 9.04

fedoraproject fedora 10

fedoraproject fedora 11

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields
Debian Bug report logs - #542926 CVE-2009-2474: Improper verification of x590v3 certificate with NUL (zero) byte in certain fields Packages: neon27, neon, neon26; Maintainer for neon27 is Laszlo Boszormenyi (GCS) <gcs@debianorg>; Maintainer for neon is (unknown); Maintainer for neon26 is (unknown); Reported by: Giuseppe Iucu ...
Ubuntu Security Notice: neon, neon27 vulnerabilities
Joe Orton discovered that neon did not correctly handle SSL certificates with zero bytes in the Common Name A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications ...

References

CWE-326https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.htmlhttp://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.htmlhttp://secunia.com/advisories/36371http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.htmlhttp://www.vupen.com/english/advisories/2009/2341http://www.mandriva.com/security/advisories?name=MDVSA-2009:221http://www.securityfocus.com/bid/36079http://www.ubuntu.com/usn/usn-835-1http://secunia.com/advisories/36799http://support.apple.com/kb/HT4435http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11721https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542926https://usn.ubuntu.com/835-1/https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-22120CVE-2024-35921CVE-2024-35874brute forceCVE-2024-36080unprivilegedCVE-2024-35917IDORCVE-2024-4947
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook