CVE-2009-2702

CWE-310 CWE-6269 documents7 sources

Severity

7.5HIGH

EPSS

0.4%

top 36.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Kdelibs

Timeline

PublishedSep 8

Latest updateMay 2

Description

KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDkde/kdelibs3.5.4, 4.2.4, 4.3+2

▶Debiankde4libs< 4:4.3.2-1

🔴Vulnerability Details

GHSA

GHSA-65q5-4r9q-gp26: KDE KSSL in kdelibs 3↗2022-05-02

▶

OSV

CVE-2011-1094: kio/kio/tcpslavebase↗2011-03-16

▶

OSV

CVE-2009-2702: KDE KSSL in kdelibs 3↗2009-09-08

▶

CVEList

CVE-2009-2702: KDE KSSL in kdelibs 3↗2009-09-08

▶

📋Vendor Advisories

Red Hat

kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP↗2011-01-31

▶

Ubuntu

KDE-Libs vulnerability↗2009-09-17

▶

Red Hat

kdelibs: kssl incorrect verification of SSL certificate with NUL in subjectAltName↗2009-09-01

▶

💬Community

Bugzilla

CVE-2009-2702 kdelibs: kssl incorrect verification of SSL certificate with NUL in subjectAltName↗2009-09-01

▶