Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2009-3490

Published: 30/09/2009 Updated: 19/09/2017
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Wget

Vulnerability Summary

GNU Wget prior to 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote malicious users to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Vulnerable Product Search on Vulmon Subscribe to Product

gnu wget 1.10.1

gnu wget 1.10.2

gnu wget 1.9

gnu wget 1.9.1

gnu wget 1.11.1

gnu wget 1.5.3

gnu wget 1.6

gnu wget 1.11.2

gnu wget 1.11.3

gnu wget 1.10

gnu wget 1.8

gnu wget 1.8.1

gnu wget 1.7

gnu wget 1.7.1

gnu wget 1.11

gnu wget

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate
Debian Bug report logs - #549293 CVE-2009-3490: does not properly handle a '\0' character in a domain name in the Common Name field of an X509 certificate Package: wget; Maintainer for wget is Noël Köthe <noel@debianorg>; Source for wget is src:wget (PTS, buildd, popcon) Reported by: Giuseppe Iuculano <giuseppe@iucula ...
Ubuntu Security Notice: wget vulnerability
It was discovered that Wget did not correctly handle SSL certificates with zero bytes in the Common Name A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications ...
Debian Security Advisories: DSA-1904-1 wget -- insufficient input validation
Daniel Stenberg discovered that wget, a network utility to retrieve files from the Web using HTTP(S) and FTP, is vulnerable to the "Null Prefix Attacks Against SSL/TLS Certificates" published at the Blackhat conference some time ago This allows an attacker to perform undetected man-in-the-middle attacks via a crafted ITU-T X509 certificate with a ...

References

CWE-310http://addictivecode.org/pipermail/wget-notify/2009-August/001808.htmlhttp://www.securityfocus.com/bid/36205http://www.vupen.com/english/advisories/2009/2498http://secunia.com/advisories/36540http://hg.addictivecode.org/wget/mainline/rev/1eab157d3be7http://marc.info/?l=oss-security&m=125369675820512&w=2http://permalink.gmane.org/gmane.comp.web.wget.general/8972https://bugzilla.redhat.com/show_bug.cgi?id=520454http://marc.info/?l=oss-security&m=125198917018936&w=2http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11099https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549293https://usn.ubuntu.com/842-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322cross-site request forgeryunauthorizedCVE-2024-33925reflected XSSCVE-2023-51580CVE-2023-51579CVE-2015-2051CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook