CVE-2009-2702

KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
kdekdelibs
3.5.4
kdekdelibs
4.2.4
kdekdelibs
4.3
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
kde4libs
lucid
Fixed 4:4.3.1-0ubuntu3
released
karmic
Fixed 4:4.3.1-0ubuntu3
released
jaunty
Fixed 4:4.2.2-0ubuntu5.2
released
intrepid
Fixed 4:4.1.4-0ubuntu1~intrepid1.3
released
hardy
ignored
dapper
dne
kdelibs
lucid
Fixed 4:3.5.10.dfsg.1-2ubuntu5
released
karmic
Fixed 4:3.5.10.dfsg.1-2ubuntu5
released
jaunty
Fixed 4:3.5.10.dfsg.1-1ubuntu8.2
released
intrepid
Fixed 4:3.5.10-0ubuntu6.2
released
hardy
Fixed 4:3.5.10-0ubuntu1~hardy1.3
released
dapper
ignored
Common Weakness Enumeration
References
http://secunia.com/advisories/36468
http://www.mandriva.com/security/advisories?name=MDVSA-2009:330
http://www.mandriva.com/security/advisories?name=MDVSA-2011:162
http://www.vupen.com/english/advisories/2009/2532
https://bugzilla.redhat.com/show_bug.cgi?id=520661
http://secunia.com/advisories/36468
http://www.mandriva.com/security/advisories?name=MDVSA-2009:330
http://www.mandriva.com/security/advisories?name=MDVSA-2011:162
http://www.vupen.com/english/advisories/2009/2532
https://bugzilla.redhat.com/show_bug.cgi?id=520661