CVE-2009-2474 - Vulnerability Details

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Mac Os X
Canonical	Ubuntu Linux
Fedoraproject	Fedora
Redhat	Enterprise Linux
Webdav	Neon

Configuration 1 [-]

cpe:2.3:a:webdav:neon:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:8.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:fedoraproject:fedora:10:::::::*
	cpe:2.3:o:fedoraproject:fedora:11:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 4
neon-0:0.24.7-4.el4_8.2	cpe:/o:redhat:enterprise_linux:4	RHSA-2009:1452	2009-09-21T00:00:00Z
Red Hat Enterprise Linux 5
neon-0:0.25.5-10.el5_4.1	cpe:/o:redhat:enterprise_linux:5	RHSA-2009:1452	2009-09-21T00:00:00Z

References

Link	Providers
http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html
http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html
http://secunia.com/advisories/36371
http://secunia.com/advisories/36799
http://support.apple.com/kb/HT4435
http://www.mandriva.com/security/advisories?name=MDVSA-2009:221
http://www.securityfocus.com/bid/36079
http://www.ubuntu.com/usn/usn-835-1
http://www.vupen.com/english/advisories/2009/2341
https://nvd.nist.gov/vuln/detail/CVE-2009-2474
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11721
https://www.cve.org/CVERecord?id=CVE-2009-2474
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-08-21T17:00:00

Updated: 2024-08-07T05:52:14.820Z

Reserved: 2009-07-15T00:00:00

Link: CVE-2009-2474

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-08-21T17:30:00.360

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-2474

Redhat

Severity : Moderate

Publid Date: 2009-08-18T00:00:00Z

Links: CVE-2009-2474 - Bugzilla

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object