Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2009-2409

Disclosure Date: July 30, 2009 •

Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Products

References

Canonical

CVE-2009-2409 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409)

Advisory

SECUNIA-36139 (http://secunia.com/advisories/36139)

SECUNIA-36157 (http://secunia.com/advisories/36157)

http://www.mandriva.com/security/advisories?name=MDVSA-2009:197

http://www.mandriva.com/security/advisories?name=MDVSA-2009:216

DSA-1888 (https://www.debian.org/security/2009/dsa-1888)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8594

GLSA-200911-02 (http://security.gentoo.org/glsa/glsa-200911-02.xml)

SECUNIA-36434 (http://secunia.com/advisories/36434)

GLSA-200912-01 (http://security.gentoo.org/glsa/glsa-200912-01.xml)

SECTRACK-1022631 (http://www.securitytracker.com/id?1022631)

SECUNIA-42467 (http://secunia.com/advisories/42467)

[syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released (https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html)

http://www.redhat.com/support/errata/RHSA-2009-1207.html

20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console (http://www.securityfocus.com/archive/1/515055/100/0/threaded)

SECUNIA-36669 (http://secunia.com/advisories/36669)

http://www.redhat.com/support/errata/RHSA-2009-1432.html

USN-810-1 (http://www.ubuntu.com/usn/usn-810-1)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10763

http://www.mandriva.com/security/advisories?name=MDVSA-2009:258

USN-810-2 (https://usn.ubuntu.com/810-2)

http://java.sun.com/javase/6/webnotes/6u17.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7155

[syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released (https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html)

ADV-2010-3126 (http://www.vupen.com/english/advisories/2010/3126)

https://rhn.redhat.com/errata/RHSA-2010-0095.html

ADV-2009-3184 (http://www.vupen.com/english/advisories/2009/3184)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409

http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

http://www.vmware.com/security/advisories/VMSA-2010-0019.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6631

APPLE-SA-2009-11-09-1 (http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html)

http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

SECUNIA-37386 (http://secunia.com/advisories/37386)

ADV-2009-2085 (http://www.vupen.com/english/advisories/2009/2085)

DSA-1874 (http://www.debian.org/security/2009/dsa-1874)

SECUNIA-36739 (http://secunia.com/advisories/36739)

http://support.apple.com/kb/HT3937

Miscellaneous

https://usn.ubuntu.com/810-2/

Rapid7

Technical Analysis