CVE-2009-2417 — Curl Libcurl vulnerability

10 documents8 sources

Severity

7.5HIGHNVD

CNA5.9OSV5.9

EPSS

7.3%

top 8.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl Libcurl Libcurl

Timeline

PublishedAug 14

Latest updateMay 2

Description

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDcurl/libcurl60 versions+59

▶NVDlibcurl/libcurl14 versions+13

▶Debianhaxx/curl< 7.19.5-1.1+3

Patches

Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗Patch: curl.haxx.se ↗

🔴Vulnerability Details

GHSA

GHSA-c74q-xg62-9cwm: lib/ssluse↗2022-05-02

▶

CVEList

CVE-2009-2417: lib/ssluse↗2009-08-14

▶

OSV

CVE-2009-2417: lib/ssluse↗2009-08-14

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2011-06-24

▶

Ubuntu

curl vulnerability↗2009-08-17

▶

Red Hat

curl: incorrect verification of SSL certificate with NUL in name↗2009-08-12

▶

Debian

CVE-2009-2417: curl - lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does ...↗2009

▶

💬Community

Bugzilla

CVE-2009-2417 curl: incorrect verification of SSL certificate with NUL in name↗2009-08-07

▶

Bugzilla

CVE-2009-0482 bugzilla: CSRF vuln via process_bug.cgi↗2009-02-10

▶