CVE-2009-3765 — Mutt vulnerability

5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.6%

top 30.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mutt Debian Mutt

Timeline

PublishedOct 23

Latest updateMay 2

Description

mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDmutt/mutt1.5.19, 1.5.20+1

▶debiandebian/mutt

🔴Vulnerability Details

GHSA

GHSA-fp73-6h6h-9v4h: mutt_ssl↗2022-05-02

▶

📋Vendor Advisories

Red Hat

mutt: Doesn't properly handle NULL character in subject Common Name↗2009-08-11

▶

Debian

CVE-2009-3765: mutt - mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly ha...↗2009

▶

💬Community

Bugzilla

CVE-2009-3765 mutt: Doesn't properly handle NULL character in subject Common Name↗2009-10-24

▶