{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-09-03T00:00:00", "descriptions": [{"lang": "en", "value": "mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-11-11T10:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[oss-security] 20091026 Re: More CVE-2009-2408 like issues", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/10/26/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://dev.mutt.org/trac/ticket/3087"}, {"name": "[oss-security] 20090903 More CVE-2009-2408 like issues", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://marc.info/?l=oss-security&m=125198917018936&w=2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-3766", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20091026 Re: More CVE-2009-2408 like issues", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2009/10/26/1"}, {"name": "http://dev.mutt.org/trac/ticket/3087", "refsource": "CONFIRM", "url": "http://dev.mutt.org/trac/ticket/3087"}, {"name": "[oss-security] 20090903 More CVE-2009-2408 like issues", "refsource": "MLIST", "url": "http://marc.info/?l=oss-security&m=125198917018936&w=2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T06:38:30.251Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20091026 Re: More CVE-2009-2408 like issues", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/10/26/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://dev.mutt.org/trac/ticket/3087"}, {"name": "[oss-security] 20090903 More CVE-2009-2408 like issues", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://marc.info/?l=oss-security&m=125198917018936&w=2"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-3766", "datePublished": "2009-10-23T19:00:00", "dateReserved": "2009-10-23T00:00:00", "dateUpdated": "2024-08-07T06:38:30.251Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A318134-FDFF-4D07-9DCD-7C7F04148552", "versionEndExcluding": "1.5.19", "versionStartIncluding": "1.5.16", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDA1CA86-1405-4C25-9BC2-5A5E6A76B911", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}, {"lang": "es", "value": "En el archivo mutt_ssl.c en mutt versi\u00f3n 1.5.16 y otras versiones anteriores a 1.5.19, cuando es usado OpenSSL, no comprueba el nombre de dominio en el campo Common Name (CN) de un certificado X.509, que permite a los atacantes de tipo man-in-the-middle falsificar servidores SSL por medio de un certificado v\u00e1lido arbitrario."}], "id": "CVE-2009-3766", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-10-23T19:30:00.233", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://dev.mutt.org/trac/ticket/3087"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://marc.info/?l=oss-security&m=125198917018936&w=2"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2009/10/26/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://dev.mutt.org/trac/ticket/3087"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://marc.info/?l=oss-security&m=125198917018936&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2009/10/26/1"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Red Hat is aware of this issue and is tracking it via the following bug:\nhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3766\n\nThe Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.", "lastModified": "2009-11-26T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "mutt: missing host name vs. SSL certificate name checks", "id": "531011", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=531011"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "draft"}, "cwe": "CWE-297", "details": ["mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."], "name": "CVE-2009-3766", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:4", "fix_state": "Will not fix", "package_name": "mutt", "product_name": "Red Hat Enterprise Linux 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "mutt", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2009-08-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2009-3766\nhttps://nvd.nist.gov/vuln/detail/CVE-2009-3766"], "threat_severity": "Moderate"}