CVE-2009-3941

Martin Lambers mpop before 1.0.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://mpop.sourceforge.net/news.html	Patch
http://secunia.com/advisories/37312	Vendor Advisory
http://www.vupen.com/english/advisories/2009/3225	Patch Vendor Advisory
http://mpop.sourceforge.net/news.html	Patch
http://secunia.com/advisories/37312	Vendor Advisory
http://www.vupen.com/english/advisories/2009/3225	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:martin_lambers:mpop::::::::
	cpe:2.3:a:martin_lambers:mpop:0.1.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.1.1:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.1.2:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.1.3:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.1.4:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.2.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.3.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.3.1:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.4.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.4.1:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.4.2:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.4.3:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.5.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.6.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.6.1:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.6.2:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.6.3:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.7.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.8.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.8.1:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.8.2:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.8.3:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.8.4:::::::*
	cpe:2.3:a:martin_lambers:mpop:0.8.5:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.0:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.1:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.2:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.3:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.4:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.5:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.6:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.8:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.9:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.10:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.11:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.12:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.13:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.14:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.15:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.16:::::::*
	cpe:2.3:a:martin_lambers:mpop:1.0.17:::::::*

History

21 Nov 2024, 01:08

Type	Values Removed	Values Added
References	~~() http://mpop.sourceforge.net/news.html - Patch~~	() http://mpop.sourceforge.net/news.html - Patch
References	~~() http://secunia.com/advisories/37312 - Vendor Advisory~~	() http://secunia.com/advisories/37312 - Vendor Advisory
References	~~() http://www.vupen.com/english/advisories/2009/3225 - Patch, Vendor Advisory~~	() http://www.vupen.com/english/advisories/2009/3225 - Patch, Vendor Advisory

Information

Published : 2009-11-16 19:30

Updated : 2025-04-09 00:30

NVD link : CVE-2009-3941

Mitre link : CVE-2009-3941

CVE.ORG link : CVE-2009-3941

JSON object : View

Products Affected

martin_lambers

mpop

CWE

CWE-310

Cryptographic Issues

{"id": "CVE-2009-3941", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-11-16T19:30:01.047", "references": [{"url": "http://mpop.sourceforge.net/news.html", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/37312", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.vupen.com/english/advisories/2009/3225", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://mpop.sourceforge.net/news.html", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/37312", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.vupen.com/english/advisories/2009/3225", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "Martin Lambers mpop before 1.0.19, when OpenSSL is used, does not properly handle a '\\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408."}, {"lang": "es", "value": "Martin Lambers mpop versiones anteriores a v1.4.19, cuando usa OpenSSL, no maneja adecuadamente un car\u00e1cter '\\0' en un nombre de dominio (1) en el campo nombre com\u00fan del sujeto o (2) en el campo nombre alternativo del sujeto de un certificado X.509, permitiendo que atacantes de hombre en medio (man-in-the-middle) suplantar a servidores SSL de su elecci\u00f3n mediante un certificado modificado emitido por una Autoridad de Certificaci\u00f3n leg\u00edtima, estando relacionado con el CVE-2009-2408."}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:martin_lambers:mpop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A334487-BFC7-4BD3-A41C-B4A7A03FD688", "versionEndIncluding": "1.0.18"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3D33CFC-B3AD-447D-9ED7-B9EB56F37963"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1101564-6C93-4116-8286-423ECF1CE1F9"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52F89E31-4C4F-4596-8BDB-DD6AA202A66B"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13B423FE-A656-4E05-8E56-ADA3BB25055C"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4533F4B-B737-4AE8-8BE4-52F18AC81CF3"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73161FA8-6BDB-480A-959A-FE75A0A094A9"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5D831D74-1D1A-43BF-989C-CA2541B34F2B"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA886F91-162A-4272-A854-E4C2ABA1880F"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C73DAC9F-AF34-412B-8483-BD642E9AD7CB"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E5F1142-E4BC-4AC4-AB85-33A5AC35D7A9"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.4.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03C05F7D-BA83-44D4-8E47-45CF339EFB63"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A312B4E-F43D-4649-A8F8-811657D5D6EA"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E9BD996-6003-4ACA-A661-810018EF750D"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15117F01-79FF-47A7-8D1E-BA1F8E96A1ED"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB4C433A-9796-4C11-8B3F-DD93191B200F"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C63DB55C-3454-4E28-9BE3-6E2AF7F0C2C4"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBAF238F-6E35-4C79-BA57-9DFBCE1F32DF"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "09FB5DCD-94E2-469E-83E8-E7489DFECF28"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "813E3390-A91A-440E-947F-98777CF0C008"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83BAB091-5DF5-48D1-B12F-FAA7AE304BAE"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "832106E3-7743-412D-B92E-CF8F4AFD630E"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.8.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "29EA91C5-EAD8-476C-A198-3BB9D11DF47F"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00E17910-D6CC-4AE3-B119-90798F441338"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:0.8.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DE2045F-C0EB-433F-8D44-7B257AF1A976"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD03AAD4-18CE-4109-B63E-F0447AD5D57E"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F60C96B3-834A-467E-B823-56F95AC53394"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BC5660E-D2FB-4D73-8D45-BC92388CFA6B"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF5CED20-DF1C-4172-ABC4-BB8C88A59D71"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B75E57F-D5A5-4925-95A1-7680D9A186C8"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E71A841C-1ED3-4634-8BA4-5F0A50CB6636"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE437EFD-6F1F-4946-91A7-E198DDC70693"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94F9FEC8-15D0-4327-975F-359A595A10B7"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AD2F2D6-BD1A-4413-9499-B45352AE5D2F"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2011EBF2-DAF7-4F9A-861E-8C7CB01E9620"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "894E6D56-3A5F-49DC-B99D-2148B548335B"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6DF077CF-E698-4506-8AD8-B339166298BA"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D879455-E7E1-448C-A425-E9C576540E73"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68D38E74-A95C-4009-AEBD-3575A98824AE"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B8B0B5D-9932-4924-B0C9-C10B8EA46F56"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.16:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0432B82-D516-4771-9D2E-684CA81A5680"}, {"criteria": "cpe:2.3:a:martin_lambers:mpop:1.0.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6A767CC-D28E-497E-9CB5-DE930304C7C7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

5.0 /10