Lucene search
HistoryNov 16, 2009 - 7:30 p.m.
CVE-2009-3942
msmtp
openssl
ssl server spoofing
cve-2009-3942
nvd
CVSS2
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
AI Score
6
Confidence
High
EPSS
0.003
Percentile
65.2%
Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a ‘\0’ character in a domain name in the (1) subject’s Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Affected configurations
Node
martin_lambersmsmtpRange≤1.4.18
ORmartin_lambersmsmtpMatch0.2.5
ORmartin_lambersmsmtpMatch0.2.6
ORmartin_lambersmsmtpMatch0.3.0
ORmartin_lambersmsmtpMatch0.3.1
ORmartin_lambersmsmtpMatch0.4.0
ORmartin_lambersmsmtpMatch0.4.1
ORmartin_lambersmsmtpMatch0.4.2
ORmartin_lambersmsmtpMatch0.5.0
ORmartin_lambersmsmtpMatch0.5.1
ORmartin_lambersmsmtpMatch0.5.2
ORmartin_lambersmsmtpMatch0.5.3
ORmartin_lambersmsmtpMatch0.6.0
ORmartin_lambersmsmtpMatch0.6.1
ORmartin_lambersmsmtpMatch0.6.2
ORmartin_lambersmsmtpMatch0.6.3
ORmartin_lambersmsmtpMatch0.6.4
ORmartin_lambersmsmtpMatch0.6.5
ORmartin_lambersmsmtpMatch0.6.6
ORmartin_lambersmsmtpMatch0.7.0
ORmartin_lambersmsmtpMatch0.7.1
ORmartin_lambersmsmtpMatch0.7.2
ORmartin_lambersmsmtpMatch1.0.0
ORmartin_lambersmsmtpMatch1.2.0
ORmartin_lambersmsmtpMatch1.2.1
ORmartin_lambersmsmtpMatch1.2.2
ORmartin_lambersmsmtpMatch1.2.3
ORmartin_lambersmsmtpMatch1.2.4
ORmartin_lambersmsmtpMatch1.4.0
ORmartin_lambersmsmtpMatch1.4.1
ORmartin_lambersmsmtpMatch1.4.2
ORmartin_lambersmsmtpMatch1.4.3
ORmartin_lambersmsmtpMatch1.4.4
ORmartin_lambersmsmtpMatch1.4.5
ORmartin_lambersmsmtpMatch1.4.6
ORmartin_lambersmsmtpMatch1.4.7
ORmartin_lambersmsmtpMatch1.4.8
ORmartin_lambersmsmtpMatch1.4.9
ORmartin_lambersmsmtpMatch1.4.10
ORmartin_lambersmsmtpMatch1.4.11
ORmartin_lambersmsmtpMatch1.4.12
ORmartin_lambersmsmtpMatch1.4.13
ORmartin_lambersmsmtpMatch1.4.14
ORmartin_lambersmsmtpMatch1.4.15
ORmartin_lambersmsmtpMatch1.4.16
ORmartin_lambersmsmtpMatch1.4.17
| Vendor | Product | Version | CPE |
|---|---|---|---|
| martin_lambers | msmtp | 0.2.6 | cpe:/a:martin_lambers:msmtp:0.2.6::: |
| martin_lambers | msmtp | 1.4.12 | cpe:/a:martin_lambers:msmtp:1.4.12::: |
| martin_lambers | msmtp | 0.5.3 | cpe:/a:martin_lambers:msmtp:0.5.3::: |
| martin_lambers | msmtp | 0.4.2 | cpe:/a:martin_lambers:msmtp:0.4.2::: |
| martin_lambers | msmtp | 0.5.2 | cpe:/a:martin_lambers:msmtp:0.5.2::: |
| martin_lambers | msmtp | cpe:/a:martin_lambers:msmtp:::: | |
| martin_lambers | msmtp | 1.4.0 | cpe:/a:martin_lambers:msmtp:1.4.0::: |
| martin_lambers | msmtp | 0.6.2 | cpe:/a:martin_lambers:msmtp:0.6.2::: |
| martin_lambers | msmtp | 1.4.17 | cpe:/a:martin_lambers:msmtp:1.4.17::: |
| martin_lambers | msmtp | 1.2.1 | cpe:/a:martin_lambers:msmtp:1.2.1::: |
Related
ubuntucve
ubuntucve
nvd
nvd
debiancve
debiancve
prion
prion
Design/Logic Flaw
2009-11-16 19:30:00
Code injection
2009-07-30 19:30:00
Design/Logic Flaw
2009-09-29 23:30:00
cvelist
cvelist
nessus
nessus
openSUSE Security Update : msmtp (msmtp-1813)
2010-01-20 00:00:00
openSUSE Security Update : msmtp (msmtp-1813)
2010-01-20 00:00:00
openSUSE Security Update : msmtp (msmtp-1813)
2010-01-20 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 201206-34 (msmtp)
2012-08-10 00:00:00
Gentoo Security Advisory GLSA 201206-34 (msmtp)
2012-08-10 00:00:00
SLES10: Security update for OpenLDAP2
2009-10-13 00:00:00
gentoo
gentoo
msmtp: X.509 NULL spoofing vulnerability
2012-06-25 00:00:00
mozilla
mozilla
Compromise of SSL-protected communication — Mozilla
2009-08-01 00:00:00
threatpost
threatpost
Apple Safari
2009-12-29 21:50:26
veracode
veracode
Man-in-the-Middle (MitM)
2020-04-10 00:33:40
Man-in-the-Middle (MitM)
2019-01-15 08:51:35
seebug
seebug
Mozilla Firefox NULL字符CA SSL证书验证安全绕过漏洞
2009-07-31 00:00:00
securityvulns
securityvulns
Mozilla Foundation Security Advisory 2009-42
2009-08-07 00:00:00
cURL / libcurl SSL certificate spoofing
2009-08-17 00:00:00
[ MDVSA-2009:203 ] curl
2009-08-17 00:00:00
exploitdb
exploitdb
cve
cve
debian
debian
[Backports-security-announce] Security Update for proftpd-dfsg
2010-01-26 21:30:08
[Backports-security-announce] Security Update for proftpd-dfsg
2010-01-26 21:06:44
talos
talos
Randombit Botan Library X509 Certificate Validation Bypass Vulnerability
2017-04-28 00:00:00
f5
f5
SOL15683 - Ruby vulnerability CVE-2013-4073
2014-10-09 00:00:00
SOL15638 - Python vulnerability CVE-2013-4238
2014-09-29 00:00:00
amazon
amazon
Medium: python27
2013-09-04 13:31:00
CVSS2
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
AI Score
6
Confidence
High
EPSS
0.003
Percentile
65.2%
Related for CVE-2009-3942