Certificate Validation Flaw in Mozilla Products
CVE-2008-2809

Currently unrated

Key Information:

Vendor: Mozilla
Status: Firefox; Seamonkey; Navigator; Geckb
Vendor: CVE Published:; 8 July 2008

Summary

A vulnerability exists in certain versions of Mozilla products, including Firefox, SeaMonkey, and Netscape, where an SSL server certificate is incorrectly validated. When users accept an SSL certificate based solely on the Common Name (CN) in the Distinguished Name (DN) field, the system also accepts it for all subjects specified in the subjectAltName:dNSName fields. This situation can be exploited by remote attackers, allowing them to deceive users into trusting invalid certificates, potentially leading to data breaches or phishing attacks on spoofed websites.

References

http://lists.opensuse.org/opensuse-security-announce/2008...

vendor-advisoryx_refsource_SUSE

http://www.redhat.com/support/errata/RHSA-2008-0549.html

vendor-advisoryx_refsource_REDHAT

http://www.debian.org/security/2009/dsa-1697

vendor-advisoryx_refsource_DEBIAN

Timeline

Vulnerability published
Jul 8, 2008
Vulnerability Reserved
Jun 20, 2008