CVE-2009-2408

CVSS v3.1 5.9 (Medium)

CVSS v2.0 6.8 (Medium)

EPSS 0.25 % (65^th)

Affected Products 9

Advisories 5

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

Weaknesses

CWE-295: Improper Certificate Validation

Related CVEs

CVE Status: PUBLISHED
CNA: Red Hat, Inc.
Published Date: 2009-07-30 19:30:00
(15 years ago)
Updated Date: 2024-02-14 17:21:52
(7 months ago)

Affected Products

Canonical

Ubuntu Linux

Debian

Debian Linux

Mozilla

Opensuse

Opensuse

Suse

Configuration #1

	CPE23	Up To
Mozilla Firefox prior 3.0.13 version	cpe:2.3:a:mozilla:firefox	< 3.0.13
Mozilla Network Security Services prior 3.12.3 version	cpe:2.3:a:mozilla:network_security_services	< 3.12.3
Mozilla Seamonkey prior 1.1.18 version	cpe:2.3:a:mozilla:seamonkey	< 1.1.18
Mozilla Thunderbird prior 2.0.0.23 version	cpe:2.3:a:mozilla:thunderbird	< 2.0.0.23

Configuration #2

	CPE23	From	Up To
Opensuse from 10.3 version and 11.1 and prior versions	cpe:2.3:o:opensuse:opensuse	>= 10.3	<= 11.1
Suse Linux Enterprise 10.0	cpe:2.3:o:suse:linux_enterprise:10.0:-
Suse Linux Enterprise 11.0	cpe:2.3:o:suse:linux_enterprise:11.0:-
Suse Linux Enterprise Server 9	cpe:2.3:o:suse:linux_enterprise_server:9

Configuration #3

		CPE23	From	Up To
	Debian Linux 5.0	cpe:2.3:o:debian:debian_linux:5.0

Configuration #4

		CPE23	From	Up To
	Canonical Ubuntu Linux 8.04	cpe:2.3:o:canonical:ubuntu_linux:8.04:::*:-
	Canonical Ubuntu Linux 8.10	cpe:2.3:o:canonical:ubuntu_linux:8.10
	Canonical Ubuntu Linux 9.04	cpe:2.3:o:canonical:ubuntu_linux:9.04