CVE-2009-2409

CWE-295 — Improper Certificate Validation11 documents8 sources

Severity

5.1MEDIUM

EPSS

2.2%

top 15.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Gnutls Mozilla Network Security Services Openssl Openssl

Timeline

PublishedJul 30

Latest updateMay 2

Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages5 packages

▶NVDmozilla/network_security_services< 3.12.3

▶NVDgnu/gnutls2.7.0 — 2.7.4+1

▶Debianopenssl< 0.9.8k-4+3

▶NVDopenssl/openssl0.9.8 — 0.9.8k

▶Debiannss< 3.12.3-1+3

Patches

Patch: java.sun.com ↗Patch: java.sun.com ↗

🔴Vulnerability Details

GHSA

GHSA-c2f9-w3c5-x385: The Network Security Services (NSS) library before 3↗2022-05-02

▶

OSV

CVE-2009-2409: The Network Security Services (NSS) library before 3↗2009-07-30

▶

CVEList

CVE-2009-2409: The Network Security Services (NSS) library before 3↗2009-07-30

▶

📋Vendor Advisories

Ubuntu

OpenJDK vulnerabilities↗2009-11-12

▶

Ubuntu

OpenSSL vulnerability↗2009-09-14

▶

Ubuntu

GnuTLS vulnerabilities↗2009-08-19

▶

Ubuntu

NSS vulnerabilities↗2009-08-04

▶

Red Hat

deprecate MD2 in SSL cert validation (Kaminsky)↗2009-07-29

▶

💬Community

Bugzilla

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)↗2009-07-08

▶