CVE-2009-3490 : GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 cer

GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate, which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Published 2009-09-30 15:30:01

Updated 2017-09-19 01:29:38

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2009-3490

Probability of exploitation activity in the next 30 days: 0.41%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 71 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2009-3490

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2009-3490

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-3490

http://permalink.gmane.org/gmane.comp.web.wget.general/8972
https://bugzilla.redhat.com/show_bug.cgi?id=520454
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Juniper Networks - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPView

CVEs referencing this url
http://marc.info/?l=oss-security&m=125369675820512&w=2

CVEs referencing this url
http://www.securityfocus.com/bid/36205
http://hg.addictivecode.org/wget/mainline/rev/1eab157d3be7
http://marc.info/?l=oss-security&m=125198917018936&w=2

'[oss-security] More CVE-2009-2408 like issues' - MARC

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11099
http://www.vupen.com/english/advisories/2009/2498

Vendor Advisory
http://addictivecode.org/pipermail/wget-notify/2009-August/001808.html

Products affected by CVE-2009-3490

GNU » Wget
Versions up to, including, (<=) 1.11.4
cpe:2.3:a:gnu:wget:*:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.5.3
cpe:2.3:a:gnu:wget:1.5.3:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.8
cpe:2.3:a:gnu:wget:1.8:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.8.1
cpe:2.3:a:gnu:wget:1.8.1:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.6
cpe:2.3:a:gnu:wget:1.6:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.7
cpe:2.3:a:gnu:wget:1.7:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.7.1
cpe:2.3:a:gnu:wget:1.7.1:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.9
cpe:2.3:a:gnu:wget:1.9:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.9.1
cpe:2.3:a:gnu:wget:1.9.1:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.10.1
cpe:2.3:a:gnu:wget:1.10.1:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.10.2
cpe:2.3:a:gnu:wget:1.10.2:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.10
cpe:2.3:a:gnu:wget:1.10:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.11.1
cpe:2.3:a:gnu:wget:1.11.1:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.11.2
cpe:2.3:a:gnu:wget:1.11.2:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.11.3
cpe:2.3:a:gnu:wget:1.11.3:*:*:*:*:*:*:*
Matching versions
GNU » Wget » Version: 1.11
cpe:2.3:a:gnu:wget:1.11:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2009-3490

Exploit prediction scoring system (EPSS) score for CVE-2009-3490

CVSS scores for CVE-2009-3490

CWE ids for CVE-2009-3490

References for CVE-2009-3490

Products affected by CVE-2009-3490