Lucene search

[email protected]CVE-2009-2409

HistoryJul 30, 2009 - 7:30 p.m.

CVE-2009-2409

2009-07-3019:30:00

CWE-310

[email protected]

web.nvd.nist.gov

108

cve-2009-2409

network security services

nss library

gnutls

openssl

md2

x.509

hash collision

certificate spoofing

remote attack

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

5.8 Medium

AI Score

Confidence

High

0.014 Low

EPSS

Percentile

86.4%

JSON

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Affected configurations

NVD

Node

mozillafirefox

AND

mozillafirefox

mozillanssRange≤3.12.2

mozillanssMatch3.0

mozillanssMatch3.2

mozillanssMatch3.2.1

mozillanssMatch3.3

mozillanssMatch3.3.1

mozillanssMatch3.3.2

mozillanssMatch3.4

mozillanssMatch3.4.1

mozillanssMatch3.4.2

mozillanssMatch3.4.3

mozillanssMatch3.5

mozillanssMatch3.6

mozillanssMatch3.6.1

mozillanssMatch3.7

mozillanssMatch3.7.1

mozillanssMatch3.7.2

mozillanssMatch3.7.3

mozillanssMatch3.7.5

mozillanssMatch3.7.7

mozillanssMatch3.8

mozillanssMatch3.9

mozillanssMatch3.9.5

mozillanssMatch3.10

mozillanssMatch3.11.2

mozillanssMatch3.11.4

mozillanssMatch3.11.7

mozillanssMatch3.11.8

mozillanssMatch3.12

mozillanssMatch3.12.1

Node

opensslopensslMatch0.9.8

opensslopensslMatch0.9.8a

opensslopensslMatch0.9.8b

opensslopensslMatch0.9.8c

opensslopensslMatch0.9.8d

opensslopensslMatch0.9.8e

opensslopensslMatch0.9.8f

opensslopensslMatch0.9.8g

opensslopensslMatch0.9.8h

opensslopensslMatch0.9.8i

opensslopensslMatch0.9.8j

opensslopensslMatch0.9.8k

Node

gnugnutlsRange≤2.6.3

gnugnutlsMatch1.0.16

gnugnutlsMatch1.0.17

gnugnutlsMatch1.0.18

gnugnutlsMatch1.0.19

gnugnutlsMatch1.0.20

gnugnutlsMatch1.0.21

gnugnutlsMatch1.0.22

gnugnutlsMatch1.0.23

gnugnutlsMatch1.0.24

gnugnutlsMatch1.0.25

gnugnutlsMatch1.1.13

gnugnutlsMatch1.1.14

gnugnutlsMatch1.1.15

gnugnutlsMatch1.1.16

gnugnutlsMatch1.1.17

gnugnutlsMatch1.1.18

gnugnutlsMatch1.1.19

gnugnutlsMatch1.1.20

gnugnutlsMatch1.1.21

gnugnutlsMatch1.1.22

gnugnutlsMatch1.1.23

gnugnutlsMatch1.2.0

gnugnutlsMatch1.2.1

gnugnutlsMatch1.2.2

gnugnutlsMatch1.2.3

gnugnutlsMatch1.2.4

gnugnutlsMatch1.2.5

gnugnutlsMatch1.2.6

gnugnutlsMatch1.2.7

gnugnutlsMatch1.2.8

gnugnutlsMatch1.2.8.1a1

gnugnutlsMatch1.2.9

gnugnutlsMatch1.2.10

gnugnutlsMatch1.2.11

gnugnutlsMatch1.3.0

gnugnutlsMatch1.3.1

gnugnutlsMatch1.3.2

gnugnutlsMatch1.3.3

gnugnutlsMatch1.3.4

gnugnutlsMatch1.3.5

gnugnutlsMatch1.4.0

gnugnutlsMatch1.4.1

gnugnutlsMatch1.4.2

gnugnutlsMatch1.4.3

gnugnutlsMatch1.4.4

gnugnutlsMatch1.4.5

gnugnutlsMatch1.5.0

gnugnutlsMatch1.5.1

gnugnutlsMatch1.5.2

gnugnutlsMatch1.5.3

gnugnutlsMatch1.5.4

gnugnutlsMatch1.5.5

gnugnutlsMatch1.6.0

gnugnutlsMatch1.6.1

gnugnutlsMatch1.6.2

gnugnutlsMatch1.6.3

gnugnutlsMatch1.7.0

gnugnutlsMatch1.7.1

gnugnutlsMatch1.7.2

gnugnutlsMatch1.7.3

gnugnutlsMatch1.7.4

gnugnutlsMatch1.7.5

gnugnutlsMatch1.7.6

gnugnutlsMatch1.7.7

gnugnutlsMatch1.7.8

gnugnutlsMatch1.7.9

gnugnutlsMatch1.7.10

gnugnutlsMatch1.7.11

gnugnutlsMatch1.7.12

gnugnutlsMatch1.7.13

gnugnutlsMatch1.7.14

gnugnutlsMatch1.7.15

gnugnutlsMatch1.7.16

gnugnutlsMatch1.7.17

gnugnutlsMatch1.7.18

gnugnutlsMatch1.7.19

gnugnutlsMatch2.0.0

gnugnutlsMatch2.0.1

gnugnutlsMatch2.0.2

gnugnutlsMatch2.0.3

gnugnutlsMatch2.0.4

gnugnutlsMatch2.1.0

gnugnutlsMatch2.1.1

gnugnutlsMatch2.1.2

gnugnutlsMatch2.1.3

gnugnutlsMatch2.1.4

gnugnutlsMatch2.1.5

gnugnutlsMatch2.1.6

gnugnutlsMatch2.1.7

gnugnutlsMatch2.1.8

gnugnutlsMatch2.2.0

gnugnutlsMatch2.2.1

gnugnutlsMatch2.2.2

gnugnutlsMatch2.2.3

gnugnutlsMatch2.2.4

gnugnutlsMatch2.2.5

gnugnutlsMatch2.3.0

gnugnutlsMatch2.3.1

gnugnutlsMatch2.3.2

gnugnutlsMatch2.3.3

gnugnutlsMatch2.3.4

gnugnutlsMatch2.3.5

gnugnutlsMatch2.3.6

gnugnutlsMatch2.3.7

gnugnutlsMatch2.3.8

gnugnutlsMatch2.3.9

gnugnutlsMatch2.3.10

gnugnutlsMatch2.3.11

gnugnutlsMatch2.4.0

gnugnutlsMatch2.4.1

gnugnutlsMatch2.4.2

gnugnutlsMatch2.5.0

gnugnutlsMatch2.6.0

gnugnutlsMatch2.6.1

gnugnutlsMatch2.6.2

gnugnutlsMatch2.7.4

CPENameOperatorVersion
mozilla:firefoxmozilla firefoxeq*
mozilla:nssmozilla nssle3.12.2
mozilla:nssmozilla nsseq3.0
mozilla:nssmozilla nsseq3.2
mozilla:nssmozilla nsseq3.2.1
mozilla:nssmozilla nsseq3.3
mozilla:nssmozilla nsseq3.3.1
mozilla:nssmozilla nsseq3.3.2
mozilla:nssmozilla nsseq3.4
mozilla:nssmozilla nsseq3.4.1

CPE	Name	Operator	Version
mozilla:firefox	mozilla firefox	eq	*
mozilla:nss	mozilla nss	le	3.12.2
mozilla:nss	mozilla nss	eq	3.0
mozilla:nss	mozilla nss	eq	3.2
mozilla:nss	mozilla nss	eq	3.2.1
mozilla:nss	mozilla nss	eq	3.3
mozilla:nss	mozilla nss	eq	3.3.1
mozilla:nss	mozilla nss	eq	3.3.2
mozilla:nss	mozilla nss	eq	3.4
mozilla:nss	mozilla nss	eq	3.4.1

Rows per page:

1-10 of 311

References

java.sun.com/j2se/1.5.0/ReleaseNotes.html

java.sun.com/javase/6/webnotes/6u17.html

lists.apple.com/archives/security-announce/2009/Nov/msg00000.html

secunia.com/advisories/36139

secunia.com/advisories/36157

secunia.com/advisories/36434

secunia.com/advisories/36669

secunia.com/advisories/36739

secunia.com/advisories/37386

secunia.com/advisories/42467

security.gentoo.org/glsa/glsa-200911-02.xml

security.gentoo.org/glsa/glsa-200912-01.xml

support.apple.com/kb/HT3937

www.debian.org/security/2009/dsa-1874

www.mandriva.com/security/advisories?name=MDVSA-2009:197

www.mandriva.com/security/advisories?name=MDVSA-2009:216

www.mandriva.com/security/advisories?name=MDVSA-2009:258

www.mandriva.com/security/advisories?name=MDVSA-2010:084

www.redhat.com/support/errata/RHSA-2009-1207.html

www.redhat.com/support/errata/RHSA-2009-1432.html

www.securityfocus.com/archive/1/515055/100/0/threaded

www.securitytracker.com/id?1022631

www.ubuntu.com/usn/usn-810-1

www.vmware.com/security/advisories/VMSA-2010-0019.html

www.vupen.com/english/advisories/2009/2085

www.vupen.com/english/advisories/2009/3184

www.vupen.com/english/advisories/2010/3126

bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409

lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html

lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10763

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6631

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7155

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8594

rhn.redhat.com/errata/RHSA-2010-0095.html

usn.ubuntu.com/810-2/

www.debian.org/security/2009/dsa-1888

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

5.8 Medium

AI Score

Confidence

High

0.014 Low

EPSS

Percentile

86.4%

JSON

Related for CVE-2009-2409

nessus57 openvas85 ubuntucve1 f52 cvelist2 veracode1 ubuntu5 prion2 nvd2 debiancve2 securityvulns3 oraclelinux6 centos5 cve1 redhat10 osv2 debian3 vmware6 gentoo1 fedora3