CVE-2009-3024

EUVD-2009-3008
The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
io-socket-sslio-socket-ssl
1.14
io-socket-sslio-socket-ssl
1.15
io-socket-sslio-socket-ssl
1.16
io-socket-sslio-socket-ssl
1.16_1:_1
io-socket-sslio-socket-ssl
1.16_2:_2
io-socket-sslio-socket-ssl
1.16_3:_3
io-socket-sslio-socket-ssl
1.17
io-socket-sslio-socket-ssl
1.18
io-socket-sslio-socket-ssl
1.19
io-socket-sslio-socket-ssl
1.20
io-socket-sslio-socket-ssl
1.21
io-socket-sslio-socket-ssl
1.22
io-socket-sslio-socket-ssl
1.23
io-socket-sslio-socket-ssl
1.24
io-socket-sslio-socket-ssl
1.25
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libio-socket-ssl-perl
bookworm
2.081-2
fixed
bullseye
2.069-1
fixed
etch
not-affected
sid
2.089-1
fixed
trixie
2.089-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libio-socket-ssl-perl
dapper
not-affected
hardy
not-affected
intrepid
not-affected
jaunty
ignored
karmic
not-affected
lucid
not-affected
maverick
not-affected
Common Weakness Enumeration
References
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://secunia.com/advisories/42893
http://www.gentoo.org/security/en/glsa/glsa-201101-06.xml
http://www.openwall.com/lists/oss-security/2009/08/28/1
http://www.openwall.com/lists/oss-security/2009/08/29/1
http://www.openwall.com/lists/oss-security/2009/08/31/4
http://www.vupen.com/english/advisories/2011/0118
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://secunia.com/advisories/42893
http://www.gentoo.org/security/en/glsa/glsa-201101-06.xml
http://www.openwall.com/lists/oss-security/2009/08/28/1
http://www.openwall.com/lists/oss-security/2009/08/29/1
http://www.openwall.com/lists/oss-security/2009/08/31/4
http://www.vupen.com/english/advisories/2011/0118