Vulnerability Details : CVE-2009-2417
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Products affected by CVE-2009-2417
- cpe:2.3:a:curl:libcurl:7.12:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.14:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.13:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.8:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.14:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.13:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-2417
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-2417
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2009-2417
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-2417
-
http://curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patch
curl: page not foundPatch
-
http://www.securityfocus.com/archive/1/506055/100/0/threaded
-
http://curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patch
curl: page not foundPatch;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8542
404 Not Found
-
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
VMSA-2009-0016.6
-
http://wiki.rpath.com/Advisories:rPSA-2009-0124
-
http://www.vupen.com/english/advisories/2009/3316
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://www.securityfocus.com/bid/36032
-
http://curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patch
curl: page not foundPatch
-
http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch
curl: page not foundPatch
-
http://www.vupen.com/english/advisories/2009/2263
Site en constructionVendor Advisory
-
http://curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patch
curl: page not foundPatch
-
http://support.apple.com/kb/HT4077
About the security content of Security Update 2010-002 / Mac OS X v10.6.3 - Apple Support
-
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
404 Not Found
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/52405
cURL and libcurl certificate security bypass CVE-2009-2417 Vulnerability Report
-
http://curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patch
curl: page not foundPatch
-
http://curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patch
curl: page not foundPatch
-
http://curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patch
curl: page not foundPatch
-
http://curl.haxx.se/docs/adv_20090812.txt
curl: page not foundVendor Advisory
-
http://www.securityfocus.com/archive/1/507985/100/0/threaded
-
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Apple - Lists.apple.com
-
http://curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patch
curl: page not foundPatch
-
http://www.ubuntu.com/usn/USN-1158-1
USN-1158-1: curl vulnerabilities | Ubuntu security notices
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10114
404 Not Found
Jump to