CVE-2011-1094

CWE-20Improper Input Validation7 documents7 sources
Severity
4.3MEDIUM
EPSS
0.8%
top 25.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Kdelibs
Timeline
PublishedMar 16
Latest updateMay 17

Description

kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

NVDredhat/kdelibs4.6+3
Debiankde4libs< 4:4.4.5-4

Patches

Patch: openwall.comPatch: openwall.comPatch: projects.kde.org

🔴Vulnerability Details

3
GHSA
GHSA-9793-cggf-824w: kio/kio/tcpslavebase2022-05-17
CVEList
CVE-2011-1094: kio/kio/tcpslavebase2011-03-16
OSV
CVE-2011-1094: kio/kio/tcpslavebase2011-03-16

📋Vendor Advisories

2
Ubuntu
KDE-Libs vulnerabilities2011-04-14
Red Hat
kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP2011-01-31

💬Community

1
Bugzilla
CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP2010-09-09
CVE-2011-1094 (MEDIUM CVSS 4.3) | kio/kio/tcpslavebase.cpp in KDE KSS | cvebase.io