Vulnerability Details : CVE-2009-3639
The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 client certificate, which allows remote attackers to bypass intended client-hostname restrictions via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Threat overview for CVE-2009-3639
Top countries where our scanners detected CVE-2009-3639
Top open port discovered on systems with this issue
21
IPs affected by CVE-2009-3639 46,128
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2009-3639!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2009-3639
Probability of exploitation activity in the next 30 days: 0.47%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-3639
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:P |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2009-3639
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3639
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53936
-
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00649.html
-
https://bugzilla.redhat.com/show_bug.cgi?id=530719
Patch
-
http://www.securityfocus.com/bid/36804
Patch
-
http://marc.info/?l=oss-security&m=125630966510672&w=2
-
http://www.debian.org/security/2009/dsa-1925
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:288
-
http://marc.info/?l=oss-security&m=125632960508211&w=2
-
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00642.html
-
http://bugs.proftpd.org/show_bug.cgi?id=3275
Products affected by CVE-2009-3639
- cpe:2.3:a:proftpd:proftpd:*:a:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:rc4:*:*:*:*:*:*
- cpe:2.3:a:proftpd:proftpd:1.3.2:*:*:*:*:*:*:*