CVE-2009-3024

The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
io-socket-sslio-socket-ssl
1.14
io-socket-sslio-socket-ssl
1.15
io-socket-sslio-socket-ssl
1.16
io-socket-sslio-socket-ssl
1.16_1:_1
io-socket-sslio-socket-ssl
1.16_2:_2
io-socket-sslio-socket-ssl
1.16_3:_3
io-socket-sslio-socket-ssl
1.17
io-socket-sslio-socket-ssl
1.18
io-socket-sslio-socket-ssl
1.19
io-socket-sslio-socket-ssl
1.20
io-socket-sslio-socket-ssl
1.21
io-socket-sslio-socket-ssl
1.22
io-socket-sslio-socket-ssl
1.23
io-socket-sslio-socket-ssl
1.24
io-socket-sslio-socket-ssl
1.25
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libio-socket-ssl-perl
bullseye
2.069-1
fixed
etch
not-affected
bookworm
2.081-2
fixed
sid
2.089-1
fixed
trixie
2.089-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libio-socket-ssl-perl
maverick
not-affected
lucid
not-affected
karmic
not-affected
jaunty
ignored
intrepid
not-affected
hardy
not-affected
dapper
not-affected
Common Weakness Enumeration
References
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://secunia.com/advisories/42893
http://www.gentoo.org/security/en/glsa/glsa-201101-06.xml
http://www.openwall.com/lists/oss-security/2009/08/28/1
http://www.openwall.com/lists/oss-security/2009/08/29/1
http://www.openwall.com/lists/oss-security/2009/08/31/4
http://www.vupen.com/english/advisories/2011/0118
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.30/Changes
http://lists.opensuse.org/opensuse-security-announce/2009-09/msg00001.html
http://secunia.com/advisories/42893
http://www.gentoo.org/security/en/glsa/glsa-201101-06.xml
http://www.openwall.com/lists/oss-security/2009/08/28/1
http://www.openwall.com/lists/oss-security/2009/08/29/1
http://www.openwall.com/lists/oss-security/2009/08/31/4
http://www.vupen.com/english/advisories/2011/0118