CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
EPSS
Percentile
51.1%
Matthias Andree reports:
Moxie Marlinspike demonstrated in July 2009 that some CAs would
sign certificates that contain embedded NUL characters in the
Common Name or subjectAltName fields of ITU-T X.509
certificates.
Applications that would treat such X.509 strings as
NUL-terminated C strings (rather than strings that contain an
explicit length field) would only check the part up to and
excluding the NUL character, so that certificate names such as
www.good.example\0www.bad.example.com would be mistaken as a
certificate name for www.good.example. fetchmail also had this
design and implementation flaw.