CVE-2009-3639

2009-10-2814:30:00

CWE-310

[email protected]

web.nvd.nist.gov

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

AI Score

6.3

Confidence

High

EPSS

0.005

Percentile

75.8%

JSON

The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a ‘\0’ character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Affected configurations

Nvd

Node

proftpdproftpdRange≤1.3.2a

proftpdproftpdMatch1.3.1

proftpdproftpdMatch1.3.2

proftpdproftpdMatch1.3.2rc1

proftpdproftpdMatch1.3.2rc2

proftpdproftpdMatch1.3.2rc4

proftpdproftpdMatch1.3.3rc1

VendorProductVersionCPE
proftpdproftpd*cpe:2.3:a:proftpd:proftpd:*:a:*:*:*:*:*:*
proftpdproftpd1.3.1cpe:2.3:a:proftpd:proftpd:1.3.1:*:*:*:*:*:*:*
proftpdproftpd1.3.2cpe:2.3:a:proftpd:proftpd:1.3.2:*:*:*:*:*:*:*
proftpdproftpd1.3.2cpe:2.3:a:proftpd:proftpd:1.3.2:rc1:*:*:*:*:*:*
proftpdproftpd1.3.2cpe:2.3:a:proftpd:proftpd:1.3.2:rc2:*:*:*:*:*:*
proftpdproftpd1.3.2cpe:2.3:a:proftpd:proftpd:1.3.2:rc4:*:*:*:*:*:*
proftpdproftpd1.3.3cpe:2.3:a:proftpd:proftpd:1.3.3:rc1:*:*:*:*:*:*

Vendor	Product	Version	CPE
proftpd	proftpd	*	cpe:2.3:a:proftpd:proftpd::a::::::*
proftpd	proftpd	1.3.1	cpe:2.3:a:proftpd:proftpd:1.3.1:::::::*
proftpd	proftpd	1.3.2	cpe:2.3:a:proftpd:proftpd:1.3.2:::::::*
proftpd	proftpd	1.3.2	cpe:2.3:a:proftpd:proftpd:1.3.2:rc1::::::
proftpd	proftpd	1.3.2	cpe:2.3:a:proftpd:proftpd:1.3.2:rc2::::::
proftpd	proftpd	1.3.2	cpe:2.3:a:proftpd:proftpd:1.3.2:rc4::::::
proftpd	proftpd	1.3.3	cpe:2.3:a:proftpd:proftpd:1.3.3:rc1::::::