CVE-2009-2069

CWE-287 — Improper Authentication3 documents3 sources

Severity

5.8MEDIUM

EPSS

2.2%

top 15.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft IE Microsoft Internet Explorer

Timeline

PublishedJun 15

Latest updateMay 2

Description

Microsoft Internet Explorer before 8 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which allows man-in-the-middle attackers to spoof an arbitrary https site by letting a browser obtain a valid certificate from this site during one request, and then sending the browser a crafted 502 response page upon a subsequent request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages2 packages

▶NVDmicrosoft/internet_explorer71 versions+70

▶NVDmicrosoft/ie5.0, 5.22, 6.0+2

🔴Vulnerability Details

GHSA

GHSA-qfhp-cf5p-v49w: Microsoft Internet Explorer before 8 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which al↗2022-05-02

▶

CVEList

CVE-2009-2069: Microsoft Internet Explorer before 8 displays a cached certificate for a (1) 4xx or (2) 5xx CONNECT response page returned by a proxy server, which al↗2009-06-15

▶