Vulnerability Details : CVE-2009-3024
The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate.
Products affected by CVE-2009-3024
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.15:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.16:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.16_3:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.17:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.24:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.25:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.16_1:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.16_2:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.22:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.23:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.14:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.18:*:*:*:*:*:*:*
- cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.19:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3024
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3024
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2009-3024
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3024
-
http://www.openwall.com/lists/oss-security/2009/08/31/4
oss-security - Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug
-
http://www.gentoo.org/security/en/glsa/glsa-201101-06.xml
IO::Socket::SSL: Certificate validation error (GLSA 201101-06) — Gentoo security
-
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:015 - openSUSE Security Announce - openSUSE Mailing Lists
-
http://www.openwall.com/lists/oss-security/2009/08/29/1
oss-security - Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug
-
http://www.vupen.com/english/advisories/2011/0118
Site en construction
-
http://www.openwall.com/lists/oss-security/2009/08/28/1
oss-security - CVE request: perl-IO-Socket-SSL certificate hostname compare bug
-
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
Changes - metacpan.org
Jump to