Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2009-3475

HistoryOct 03, 2022 - 4:23 p.m.

CVE-2009-3475

2022-10-0316:23:56

Debian Security Bug Tracker

security-tracker.debian.org

internet2

shibboleth

ssl

spoofing

certificate

cve-2009-3475

pkix

validation

man-in-the-middle

attackers

unix

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

0.003 Low

EPSS

Percentile

65.2%

JSON

Internet2 Shibboleth Service Provider software 1.3.x before 1.3.3 and 2.x before 2.2.1, when using PKIX trust validation, does not properly handle a ‘\0’ character in the subject or subjectAltName fields of a certificate, which allows remote man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

OSVersionArchitecturePackageVersionFilename
Debian12allopensaml< 3.0.0-2opensaml_3.0.0-2_all.deb
Debian11allopensaml< 3.0.0-2opensaml_3.0.0-2_all.deb
Debian999allopensaml< 3.0.0-2opensaml_3.0.0-2_all.deb
Debian13allopensaml< 3.0.0-2opensaml_3.0.0-2_all.deb
Debian12allshibboleth-sp< 3.0.2+dfsg1-2shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian11allshibboleth-sp< 3.0.2+dfsg1-2shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian999allshibboleth-sp< 3.0.2+dfsg1-2shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian13allshibboleth-sp< 3.0.2+dfsg1-2shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian12allxmltooling< 1.2.2-1xmltooling_1.2.2-1_all.deb
Debian11allxmltooling< 1.2.2-1xmltooling_1.2.2-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	opensaml	< 3.0.0-2	opensaml_3.0.0-2_all.deb
Debian	11	all	opensaml	< 3.0.0-2	opensaml_3.0.0-2_all.deb
Debian	999	all	opensaml	< 3.0.0-2	opensaml_3.0.0-2_all.deb
Debian	13	all	opensaml	< 3.0.0-2	opensaml_3.0.0-2_all.deb
Debian	12	all	shibboleth-sp	< 3.0.2+dfsg1-2	shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian	11	all	shibboleth-sp	< 3.0.2+dfsg1-2	shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian	999	all	shibboleth-sp	< 3.0.2+dfsg1-2	shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian	13	all	shibboleth-sp	< 3.0.2+dfsg1-2	shibboleth-sp_3.0.2+dfsg1-2_all.deb
Debian	12	all	xmltooling	< 1.2.2-1	xmltooling_1.2.2-1_all.deb
Debian	11	all	xmltooling	< 1.2.2-1	xmltooling_1.2.2-1_all.deb