Vulnerability Details : CVE-2009-3766

mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published 2009-10-23 19:30:00

Updated 2019-11-07 15:35:44

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2009-3766

Probability of exploitation activity in the next 30 days: 0.08%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 35 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2009-3766

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2009-3766

CWE-310

Assigned by: [email protected] (Primary)

Vendor statements for CVE-2009-3766

Red Hat 2009-11-26

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3766 The Red Hat Security Response Team has rated this issue as having moderate security impact, a future update may address this flaw.

References for CVE-2009-3766

http://dev.mutt.org/trac/ticket/3087

Patch;Vendor Advisory
http://www.openwall.com/lists/oss-security/2009/10/26/1

Mailing List;Third Party Advisory
http://marc.info/?l=oss-security&m=125198917018936&w=2

Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2009-3766

Mutt » Mutt
Versions from including (>=) 1.5.16 and before (<) 1.5.19
cpe:2.3:a:mutt:mutt:*:*:*:*:*:*:*:*
Matching versions
When used together with: Openssl » Openssl