cbcvebase.
CVE-2010-2074
published 2010-06-16

CVE-2010-2074: istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1)…

PriorityP429medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
1.49%
70.9th percentile
istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianw3m< w3m 0.5.2-5 (bookworm)w3m 0.5.2-5 (bookworm)
tatsw3m>= 0 < 0.5.2-50.5.2-5
tatsw3m>= 0 < 0.5.2-50.5.2-5
tatsw3m>= 0 < 0.5.2-50.5.2-5
tatsw3m>= 0 < 0.5.2-50.5.2-5
w3mw3m

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv5.9MEDIUM
vendor_ubuntu6.8MEDIUM
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.