CVE-2009-2408

5.9MEDIUM

Key Information:

Vendor
Mozilla
Status
Firefox
Nss
Vendor
CVE Published:
30 July 2009

Summary

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

References

http://secunia.com/advisories/36139
third-party-advisoryx_refsource_SECUNIA
http://secunia.com/advisories/36157
third-party-advisoryx_refsource_SECUNIA
http://www.securitytracker.com/id?1022632
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.