1. Home
  2. Vulnerabilities
  3. CVE-2009-3555

CVE-2009-3555

CVSS v2.0 5.8 (Medium)
58% Progress
EPSS 0.36 % (73th)
0.36% Progress
Affected Products 8
Advisories 69
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Weaknesses
CWE-295
Improper Certificate Validation
Related CVEs
CVE Status
PUBLISHED
CNA
Red Hat, Inc.
Published Date
2009-11-09 17:30:00
(15 years ago)
Updated Date
2023-02-13 02:20:27
(19 months ago)

Affected Products

Apache

Canonical

Debian

F5

Fedoraproject

Gnu

Mozilla

Openssl

Configuration #1

    CPE23 From Up To
  Apache Http Server 2.2.14 and prior versions cpe:2.3:a:apache:http_server <= 2.2.14
  Gnutls 2.8.5 and prior versions cpe:2.3:a:gnu:gnutls <= 2.8.5
  Mozilla Nss 3.12.4 and prior versions cpe:2.3:a:mozilla:nss <= 3.12.4
  Openssl 0.9.8k and prior versions cpe:2.3:a:openssl:openssl <= 0.9.8k
  Openssl 1.0 Openvms Edition cpe:2.3:a:openssl:openssl:1.0:*:openvms

Configuration #2

    CPE23 From Up To
  Canonical Ubuntu Linux 8.04 cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts
  Canonical Ubuntu Linux 8.10 cpe:2.3:o:canonical:ubuntu_linux:8.10
  Canonical Ubuntu Linux 9.04 cpe:2.3:o:canonical:ubuntu_linux:9.04
  Canonical Ubuntu Linux 9.10 cpe:2.3:o:canonical:ubuntu_linux:9.10
  Canonical Ubuntu Linux 10.04 cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts
  Canonical Ubuntu Linux 10.10 cpe:2.3:o:canonical:ubuntu_linux:10.10
  Debian Linux 4.0 cpe:2.3:o:debian:debian_linux:4.0
  Debian Linux 5.0 cpe:2.3:o:debian:debian_linux:5.0
  Debian Linux 6.0 cpe:2.3:o:debian:debian_linux:6.0
  Debian Linux 7.0 cpe:2.3:o:debian:debian_linux:7.0
  Debian Linux 8.0 cpe:2.3:o:debian:debian_linux:8.0
  Fedoraproject Fedora 11 cpe:2.3:o:fedoraproject:fedora:11
  Fedoraproject Fedora 12 cpe:2.3:o:fedoraproject:fedora:12
  Fedoraproject Fedora 13 cpe:2.3:o:fedoraproject:fedora:13
  Fedoraproject Fedora 14 cpe:2.3:o:fedoraproject:fedora:14

Configuration #3

    CPE23 From Up To
  F5 Nginx from 0.1.0 version and 0.8.22 and prior versions cpe:2.3:a:f5:nginx >= 0.1.0 <= 0.8.22