CVE-2009-3475

2022-10-0316:23:56

CWE-310

[email protected]

web.nvd.nist.gov

cve-2009-3475

internet2

shibboleth

pkix

trust validation

ssl

man-in-the-middle

cve-2009-2408

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

6.2 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.4%

JSON

Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a ‘\0’ character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Affected configurations

NVD

Node

internet2shibboleth-spMatch1.3.1

internet2shibboleth-spMatch1.3.2

internet2shibboleth-spMatch1.3f

internet2shibboleth-spMatch2.0

internet2shibboleth-spMatch2.1

internet2shibboleth-spMatch2.2

CPENameOperatorVersion
internet2:shibboleth-spinternet2 shibboleth-speq1.3.1
internet2:shibboleth-spinternet2 shibboleth-speq1.3.2
internet2:shibboleth-spinternet2 shibboleth-speq1.3f
internet2:shibboleth-spinternet2 shibboleth-speq2.0
internet2:shibboleth-spinternet2 shibboleth-speq2.1
internet2:shibboleth-spinternet2 shibboleth-speq2.2

CPE	Name	Operator	Version
internet2:shibboleth-sp	internet2 shibboleth-sp	eq	1.3.1
internet2:shibboleth-sp	internet2 shibboleth-sp	eq	1.3.2
internet2:shibboleth-sp	internet2 shibboleth-sp	eq	1.3f
internet2:shibboleth-sp	internet2 shibboleth-sp	eq	2.0
internet2:shibboleth-sp	internet2 shibboleth-sp	eq	2.1
internet2:shibboleth-sp	internet2 shibboleth-sp	eq	2.2