CVE-2009-4565

CWE-3107 documents7 sources

Severity

7.5HIGH

EPSS

0.8%

top 26.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sendmail Sendmail

Timeline

PublishedJan 4

Latest updateMay 2

Description

sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶Debiansendmail< 8.14.3-9.1+3

▶NVDsendmail/sendmail8.14.3+57

Patches

Patch: www.sendmail.org ↗Patch: www.vupen.com ↗Patch: www.sendmail.org ↗

🔴Vulnerability Details

GHSA

GHSA-g4p5-56vp-vcg5: sendmail before 8↗2022-05-02

▶

OSV

CVE-2009-4565: sendmail before 8↗2010-01-04

▶

CVEList

CVE-2009-4565: sendmail before 8↗2010-01-04

▶

📋Vendor Advisories

Red Hat

sendmail: incorrect verification of SSL certificate with NUL in name↗2009-12-30

▶

Debian

CVE-2009-4565: sendmail - sendmail before 8.14.4 does not properly handle a '\0' character in a Common Nam...↗2009

▶

💬Community

Bugzilla

CVE-2009-4565 sendmail: incorrect verification of SSL certificate with NUL in name↗2010-01-05

▶