Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2009-2417

Disclosure Date: August 14, 2009
CVE-2009-2417
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a ‘\0’ character in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

References

Canonical
CVE-2009-2417 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417)
BID-36032 (http://www.securityfocus.com/bid/36032)
Advisory
http://curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patch
20090824 rPSA-2009-0124-1 curl (http://www.securityfocus.com/archive/1/506055/100/0/threaded)
SECUNIA-37471 (http://secunia.com/advisories/37471)
ADV-2009-2263 (http://www.vupen.com/english/advisories/2009/2263)
USN-1158-1 (http://www.ubuntu.com/usn/USN-1158-1)
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
SECUNIA-36238 (http://secunia.com/advisories/36238)
APPLE-SA-2010-03-29-1 (http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html)
XF-curl-certificate-security-bypass(52405) (https://exchange.xforce.ibmcloud.com/vulnerabilities/52405)
http://curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patch
http://wiki.rpath.com/Advisories:rPSA-2009-0124
http://curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patch
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8542
http://curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patch
20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components (http://www.securityfocus.com/archive/1/507985/100/0/threaded)
http://support.apple.com/kb/HT4077
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
SECUNIA-36475 (http://secunia.com/advisories/36475)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10114
http://curl.haxx.se/docs/adv_20090812.txt
SECUNIA-45047 (http://secunia.com/advisories/45047)
http://curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patch
ADV-2009-3316 (http://www.vupen.com/english/advisories/2009/3316)
http://curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patch

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis