CVE-2009-2474

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

References

http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html

http://lists.manyfish.co.uk/pipermail/neon/2009-August/001044.html

http://lists.manyfish.co.uk/pipermail/neon/2009-August/001046.html

http://secunia.com/advisories/36371

http://secunia.com/advisories/36799

http://support.apple.com/kb/HT4435

http://www.mandriva.com/security/advisories?name=MDVSA-2009:221

http://www.securityfocus.com/bid/36079

http://www.ubuntu.com/usn/usn-835-1

http://www.vupen.com/english/advisories/2009/2341

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11721

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00924.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00945.html

Details

Source: MITRE

Published: 2009-08-21

Updated: 2020-05-22

Type: CWE-326

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (12 total)

IDNameProductFamilySeverity
67927Oracle Linux 4 / 5 : neon (ELSA-2009-1452)NessusOracle Linux Local Security Checks
medium
60667Scientific Linux Security Update : neon on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
800791Mac OS X 10.6 < 10.6.5 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high
5705Mac OS X 10.6 < 10.6.5 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
50548Mac OS X 10.6.x < 10.6.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
43792CentOS 4 / 5 : neon (CESA-2009:1452)NessusCentOS Local Security Checks
medium
43018Mandriva Linux Security Advisory : libneon (MDVSA-2009:315)NessusMandriva Local Security Checks
medium
41046Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : neon, neon27 vulnerabilities (USN-835-1)NessusUbuntu Local Security Checks
medium
41031RHEL 4 / 5 : neon (RHSA-2009:1452)NessusRed Hat Local Security Checks
medium
40764Mandriva Linux Security Advisory : libneon0.27 (MDVSA-2009:221)NessusMandriva Local Security Checks
medium
40683Fedora 11 : neon-0.28.6-1.fc11 (2009-8815)NessusFedora Local Security Checks
medium
40677Fedora 10 : neon-0.28.6-1.fc10 (2009-8794)NessusFedora Local Security Checks
medium