cbcvebase.
CVE-2009-3555
published 2009-11-09

CVE-2009-3555: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP…

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Affected

59 ranges· showing 25
VendorProductVersion rangeFixed in
apachehttp_server<= 2.2.14
apsispound>= 0 < 2.6-6.12.6-6.1
apsispound>= 0 < 2.6-6.12.6-6.1
apsispound>= 0 < 2.6-6.12.6-6.1
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
citrixonline_plug-in_for_mac<= 10.0
citrixonline_plug-in_for_windows<= 11.2
citrixonline_plug-in_for_windows
citrixonline_plug-in_for_windows
citrixreceiver_for_iphone<= 1.0
citrixxenapp
citrixxendesktop
debianapache2< apache2 2.2.14-2 (bookworm)apache2 2.2.14-2 (bookworm)
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianlighttpd< apache2 2.2.14-2 (bookworm)apache2 2.2.14-2 (bookworm)
debiannginx< apache2 2.2.14-2 (bookworm)apache2 2.2.14-2 (bookworm)

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd5.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
osv5.8MEDIUM
vulncheck5.8MEDIUM