CVE-2009-3490

CWE-3109 documents8 sources

Severity

6.8MEDIUM

EPSS

1.8%

top 17.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Wget

Timeline

PublishedSep 30

Latest updateMay 2

Description

GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Debianwget< 1.12-1+3

▶NVDgnu/wget1.11.4+15

🔴Vulnerability Details

GHSA

GHSA-6p5c-44cm-r9m8: GNU Wget before 1↗2022-05-02

▶

OSV

CVE-2009-3490: GNU Wget before 1↗2009-09-30

▶

CVEList

CVE-2009-3490: GNU Wget before 1↗2009-09-30

▶

📋Vendor Advisories

Ubuntu

Wget vulnerability↗2009-10-06

▶

Red Hat

wget: incorrect verification of SSL certificate with NUL in name↗2009-08-12

▶

Debian

CVE-2009-3490: wget - GNU Wget before 1.12 does not properly handle a '\0' character in a domain name ...↗2009

▶

💬Community

Bugzilla

CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name↗2009-10-07

▶

Bugzilla

CVE-2009-3490 wget: incorrect verification of SSL certificate with NUL in name↗2009-08-31

▶