Vulnerability in GNU Wget Allows Man-in-the-Middle Attacks via SSL Certificate Spoofing
CVE-2009-3490

Currently unrated

Key Information:

Vendor: Gnu
Status: Wget
Vendor: CVE Published:; 30 September 2009

Summary

GNU Wget prior to version 1.12 fails to correctly process a null character ('\0') within the Common Name field of an X.509 certificate. This flaw can be exploited by remote attackers to perform man-in-the-middle attacks, potentially allowing them to impersonate SSL servers with certificates issued by trusted Certification Authorities. This issue raises significant concerns regarding the integrity and authenticity of SSL connections in affected versions of Wget.

References

http://permalink.gmane.org/gmane.comp.web.wget.general/8972

mailing-listx_refsource_MLIST

http://marc.info/?l=oss-security&m=125369675820512&w=2

mailing-listx_refsource_MLIST

http://www.vupen.com/english/advisories/2009/2498

vdb-entryx_refsource_VUPEN

Timeline

Vulnerability published
Sep 30, 2009
Vulnerability Reserved
Sep 30, 2009