CVE-2009-2474 — Inadequate Encryption Strength in Neon

CWE-326 — Inadequate Encryption Strength7 documents7 sources

Severity

5.8MEDIUMNVD

OSV5.9

EPSS

0.4%

top 36.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Litmuschaos Litmus Apple MAC OS X Webdav Neon +4 more

Timeline

PublishedAug 21

Latest updateMay 2

Description

neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages5 packages

▶NVDwebdav/neon< 0.28.6

▶debiandebian/neon27< litmus 0.13-1 (bookworm)

▶debiandebian/litmus< litmus 0.13-1 (bookworm)

▶NVDapple/mac_os_x< 10.6.5

▶Debianlitmuschaos/litmus< 0.13-1+3

Also affects: Fedora 10, 11, Ubuntu Linux 6.06, 8.04, 8.10, 9.04

🔴Vulnerability Details

GHSA

GHSA-x9rv-vww8-vmj9: neon before 0↗2022-05-02

▶

OSV

CVE-2009-2474: neon before 0↗2009-08-21

▶

📋Vendor Advisories

Ubuntu

neon vulnerabilities↗2009-09-21

▶

Red Hat

neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields↗2009-08-18

▶

Debian

CVE-2009-2474: litmus - neon before 0.28.6, when OpenSSL or GnuTLS is used, does not properly handle a '...↗2009

▶

💬Community

Bugzilla

CVE-2009-2474 neon: Improper verification of x509v3 certificate with NULL (zero) byte in certain fields↗2009-08-19

▶