CVE-2009-2666 — Fetchmail vulnerability

7 documents7 sources

Severity

6.4MEDIUMNVD

OSV5.9

EPSS

0.7%

top 28.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fetchmail Debian Fetchmail

Timeline

PublishedAug 7

Latest updateMay 2

Description

socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/fetchmail< fetchmail 6.3.9~rc2-6 (bookworm)

▶Debianfetchmail/fetchmail< 6.3.9~rc2-6+2

▶NVDfetchmail/fetchmail6.3.10+102

🔴Vulnerability Details

GHSA

GHSA-f5g6-55mc-jx72: socket↗2022-05-02

▶

OSV

CVE-2009-2666: socket↗2009-08-07

▶

📋Vendor Advisories

Ubuntu

fetchmail vulnerability↗2009-08-12

▶

Red Hat

fetchmail: SSL null terminator bypass↗2009-08-05

▶

Debian

CVE-2009-2666: fetchmail - socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in...↗2009

▶

💬Community

Bugzilla

CVE-2009-2666 fetchmail: SSL null terminator bypass↗2009-08-05

▶