SSL Spoofing Vulnerability in Internet2 Shibboleth Service Provider Software
CVE-2009-3475

Currently unrated

Key Information:

Vendor

Internet2

Status
Shibboleth-sp
Vendor
CVE Published:
29 September 2009

What is CVE-2009-3475?

The Internet2 Shibboleth Service Provider software versions 1.3.x prior to 1.3.3 and 2.x prior to 2.2.1 contain a vulnerability where PKIX trust validation mishandles the null character ('\0') in both the subject and subjectAltName fields of a certificate. This flaw could potentially allow remote attackers to execute man-in-the-middle attacks, effectively spoofing any SSL server using a maliciously crafted certificate issued by a legitimate Certification Authority. This issue relates to another vulnerability identified as CVE-2009-2408.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

http://secunia.com/advisories/36876
third-party-advisoryx_refsource_SECUNIA
http://www.debian.org/security/2009/dsa-1896
vendor-advisoryx_refsource_DEBIAN
http://www.debian.org/security/2009/dsa-1895
vendor-advisoryx_refsource_DEBIAN

Timeline

  • Vulnerability Reserved

  • Vulnerability published

JSON
.