CVE-2009-2702
published 2009-09-08CVE-2009-2702: KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509…
PriorityP430high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
1.26%
65.9th percentile
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| redhat | kdelibs | <= 4.6 | — |
| redhat | kdelibs | — | — |
| redhat | kdelibs | — | — |
| redhat | kdelibs | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9793-cggf-824w: kio/kio/tcpslavebase
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2011-1094 [HIGH] CWE-20 GHSA-9793-cggf-824w: kio/kio/tcpslavebase
kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.
GHSA
GHSA-65q5-4r9q-gp26: KDE KSSL in kdelibs 3
ghsa_unreviewed·2022-05-02·CVSS 5.9
CVE-2009-2702 [MEDIUM] GHSA-65q5-4r9q-gp26: KDE KSSL in kdelibs 3
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
OSV
CVE-2011-1094: kio/kio/tcpslavebase
osv·2011-03-16·CVSS 7.5
CVE-2011-1094 [HIGH] CVE-2011-1094: kio/kio/tcpslavebase
kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.
OSV
CVE-2009-2702: KDE KSSL in kdelibs 3
osv·2009-09-08·CVSS 5.9
CVE-2009-2702 [MEDIUM] CVE-2009-2702: KDE KSSL in kdelibs 3
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Red Hat
kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
vendor_redhat·2011-01-31·CVSS 7.5
CVE-2011-1094 [HIGH] kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP
kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.
Ubuntu
KDE-Libs vulnerability
vendor_ubuntu·2009-09-17
CVE-2009-2702 KDE-Libs vulnerability
Title: KDE-Libs vulnerability
Summary: KDE-Libs vulnerability
It was discovered that KDE did not properly handle certificates with NULL
characters in the Subject Alternative Name field of X.509 certificates. An
attacker could exploit this to perform a machine-in-the-middle attack to view
sensitive information or alter encrypted communications.
Instructions: After a standard system upgrade you need to restart your session to effect
the necessary changes.
Red Hat
kdelibs: kssl incorrect verification of SSL certificate with NUL in subjectAltName
vendor_redhat·2009-09-01·CVSS 5.9
CVE-2009-2702 [MEDIUM] CWE-626 kdelibs: kssl incorrect verification of SSL certificate with NUL in subjectAltName
kdelibs: kssl incorrect verification of SSL certificate with NUL in subjectAltName
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Statement: This issue did not affect kdelibs packages as shipped in Red Hat Enterprise Linux 3 and 4.
The Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in Red Hat Enterprise Linux 5.
Package: kdelibs (Red Hat Enterprise Linux 5) - Will not fix
No detection rules found.
No public exploits indexed.
http://secunia.com/advisories/36468http://www.mandriva.com/security/advisories?name=MDVSA-2009:330http://www.mandriva.com/security/advisories?name=MDVSA-2011:162http://www.vupen.com/english/advisories/2009/2532https://bugzilla.redhat.com/show_bug.cgi?id=520661http://secunia.com/advisories/36468http://www.mandriva.com/security/advisories?name=MDVSA-2009:330http://www.mandriva.com/security/advisories?name=MDVSA-2011:162http://www.vupen.com/english/advisories/2009/2532https://bugzilla.redhat.com/show_bug.cgi?id=520661
2009-09-08
Published