CVE-2009-2417

lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
curllibcurl
7.4
curllibcurl
7.4.1
curllibcurl
7.4.2
curllibcurl
7.5
curllibcurl
7.5.1
curllibcurl
7.5.2
curllibcurl
7.6
curllibcurl
7.6.1
curllibcurl
7.7
curllibcurl
7.7.1
curllibcurl
7.7.2
curllibcurl
7.7.3
curllibcurl
7.8
curllibcurl
7.8.1
curllibcurl
7.9
curllibcurl
7.9.1
curllibcurl
7.9.2
curllibcurl
7.9.3
curllibcurl
7.9.5
curllibcurl
7.9.6
curllibcurl
7.9.7
curllibcurl
7.9.8
curllibcurl
7.10
curllibcurl
7.10.1
curllibcurl
7.10.2
curllibcurl
7.10.3
curllibcurl
7.10.4
curllibcurl
7.10.5
curllibcurl
7.10.6
curllibcurl
7.10.7
curllibcurl
7.10.8
curllibcurl
7.11.0
curllibcurl
7.11.1
curllibcurl
7.11.2
curllibcurl
7.12
curllibcurl
7.12.0
curllibcurl
7.12.1
curllibcurl
7.12.2
curllibcurl
7.12.3
curllibcurl
7.13
curllibcurl
7.13.1
curllibcurl
7.13.2
curllibcurl
7.14
curllibcurl
7.14.1
curllibcurl
7.15
curllibcurl
7.15.1
curllibcurl
7.15.2
curllibcurl
7.15.3
curllibcurl
7.16.3
curllibcurl
7.17.0
curllibcurl
7.17.1
curllibcurl
7.18.0
curllibcurl
7.18.1
curllibcurl
7.18.2
curllibcurl
7.19.0
curllibcurl
7.19.1
curllibcurl
7.19.2
curllibcurl
7.19.3
curllibcurl
7.19.4
curllibcurl
7.19.5
libcurllibcurl
7.12
libcurllibcurl
7.12.1
libcurllibcurl
7.12.2
libcurllibcurl
7.12.3
libcurllibcurl
7.13
libcurllibcurl
7.13.1
libcurllibcurl
7.13.2
libcurllibcurl
7.14
libcurllibcurl
7.14.1
libcurllibcurl
7.15
libcurllibcurl
7.15.1
libcurllibcurl
7.15.2
libcurllibcurl
7.15.3
libcurllibcurl
7.16.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bullseye
7.74.0-1.3+deb11u13
fixed
bullseye (security)
7.74.0-1.3+deb11u11
fixed
bookworm
7.88.1-10+deb12u7
fixed
bookworm (security)
7.88.1-10+deb12u5
fixed
sid
8.10.1-2
fixed
trixie
8.10.1-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
jaunty
Fixed 7.18.2-8ubuntu4.1
released
intrepid
Fixed 7.18.2-1ubuntu4.4
released
hardy
Fixed 7.18.0-1ubuntu2.3
released
dapper
Fixed 7.15.1-1ubuntu3.2
released
Common Weakness Enumeration
References
http://curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch
http://curl.haxx.se/docs/adv_20090812.txt
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://secunia.com/advisories/36238
http://secunia.com/advisories/36475
http://secunia.com/advisories/37471
http://secunia.com/advisories/45047
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
http://support.apple.com/kb/HT4077
http://wiki.rpath.com/Advisories:rPSA-2009-0124
http://www.securityfocus.com/archive/1/506055/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/36032
http://www.ubuntu.com/usn/USN-1158-1
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2263
http://www.vupen.com/english/advisories/2009/3316
https://exchange.xforce.ibmcloud.com/vulnerabilities/52405
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10114
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8542
http://curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patch
http://curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patch
http://curl.haxx.se/docs/adv_20090812.txt
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://secunia.com/advisories/36238
http://secunia.com/advisories/36475
http://secunia.com/advisories/37471
http://secunia.com/advisories/45047
http://shibboleth.internet2.edu/secadv/secadv_20090817.txt
http://support.apple.com/kb/HT4077
http://wiki.rpath.com/Advisories:rPSA-2009-0124
http://www.securityfocus.com/archive/1/506055/100/0/threaded
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/36032
http://www.ubuntu.com/usn/USN-1158-1
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2263
http://www.vupen.com/english/advisories/2009/3316
https://exchange.xforce.ibmcloud.com/vulnerabilities/52405
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10114
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8542