Total
2447 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2009-3024 | 1 Io-socket-ssl | 1 Io-socket-ssl | 2024-11-21 | 4.3 MEDIUM | N/A |
The verify_hostname_of_cert function in the certificate checking feature in IO-Socket-SSL (IO::Socket::SSL) 1.14 through 1.25 only matches the prefix of a hostname when no wildcard is used, which allows remote attackers to bypass the hostname check for a certificate. | |||||
CVE-2009-2982 | 1 Adobe | 2 Acrobat, Acrobat Reader | 2024-11-21 | 9.3 HIGH | N/A |
An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow remote attackers to conduct a "social engineering attack" via unknown vectors. | |||||
CVE-2009-2977 | 1 Cisco | 1 Cs-mars | 2024-11-21 | 3.3 LOW | N/A |
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows context-dependent attackers to obtain sensitive information by reading these files. | |||||
CVE-2009-2976 | 1 Cisco | 2 Aironet Ap1100, Aironet Ap1200 | 2024-11-21 | 7.8 HIGH | N/A |
Cisco Aironet Lightweight Access Point (AP) devices send the contents of certain multicast data frames in cleartext, which allows remote attackers to discover Wireless LAN Controller MAC addresses and IP addresses, and AP configuration details, by sniffing the wireless network. | |||||
CVE-2009-2973 | 1 Google | 1 Chrome | 2024-11-21 | 6.4 MEDIUM | N/A |
Google Chrome before 2.0.172.43 does not prevent SSL connections to a site with an X.509 certificate signed with the (1) MD2 or (2) MD4 algorithm, which makes it easier for man-in-the-middle attackers to spoof arbitrary HTTPS servers via a crafted certificate, a related issue to CVE-2009-2409. | |||||
CVE-2009-2951 | 1 Phenotype-cms | 1 Phenotype Cms | 2024-11-21 | 7.5 HIGH | N/A |
Phenotype CMS before 2.9 does not use a random salt value for password encryption, which makes it easier for context-dependent attackers to determine cleartext passwords. | |||||
CVE-2009-2843 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2024-11-21 | 5.0 MEDIUM | N/A |
Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accepts expired certificates for applets, which makes it easier for remote attackers to execute arbitrary code via an applet. | |||||
CVE-2009-2825 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2024-11-21 | 4.3 MEDIUM | N/A |
Certificate Assistant in Apple Mac OS X before 10.6.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
CVE-2009-2808 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2024-11-21 | 5.4 MEDIUM | N/A |
Help Viewer in Apple Mac OS X before 10.6.2 does not use an HTTPS connection to retrieve Apple Help content from a web site, which allows man-in-the-middle attackers to send a crafted help:runscript link, and thereby execute arbitrary code, via a spoofed response. | |||||
CVE-2009-2752 | 1 Ibm | 1 Websphere Commerce | 2024-11-21 | 1.5 LOW | N/A |
IBM WebSphere Commerce 7.0 does not properly encrypt data in a database, which makes it easier for local users to obtain sensitive information by defeating cryptographic protection mechanisms. | |||||
CVE-2009-2751 | 1 Ibm | 1 Websphere Commerce | 2024-11-21 | 4.3 MEDIUM | N/A |
IBM WebSphere Commerce 7.0 uses the same cryptographic key for session attributes and merchant data encryption, which has unspecified impact and remote attack vectors. | |||||
CVE-2009-2749 | 1 Ibm | 2 Communications Enabled Applications, Websphere Application Server | 2024-11-21 | 6.4 MEDIUM | N/A |
Feature Pack for Communications Enabled Applications (CEA) before 1.0.0.1 for IBM WebSphere Application Server 7.0.0.7 uses predictable session values, which allows man-in-the-middle attackers to spoof a collaboration session by guessing the value. | |||||
CVE-2009-2730 | 1 Gnu | 1 Gnutls | 2024-11-21 | 7.5 HIGH | N/A |
libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or (2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. | |||||
CVE-2009-2702 | 1 Kde | 1 Kdelibs | 2024-11-21 | 7.5 HIGH | N/A |
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
CVE-2009-2666 | 1 Fetchmail | 1 Fetchmail | 2024-11-21 | 6.4 MEDIUM | N/A |
socket.c in fetchmail before 6.3.11 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
CVE-2009-2661 | 1 Strongswan | 1 Strongswan | 2024-11-21 | 5.0 MEDIUM | N/A |
The asn1_length function in strongSwan 2.8 before 2.8.11, 4.2 before 4.2.17, and 4.3 before 4.3.3 does not properly handle X.509 certificates with crafted Relative Distinguished Names (RDNs), which allows remote attackers to cause a denial of service (pluto IKE daemon crash) via malformed ASN.1 data. NOTE: this is due to an incomplete fix for CVE-2009-2185. | |||||
CVE-2009-2510 | 1 Microsoft | 6 Windows 2000, Windows 2003 Server, Windows 7 and 3 more | 2024-11-21 | 6.8 MEDIUM | N/A |
The CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, as used by Internet Explorer and other applications, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, aka "Null Truncation in X.509 Common Name Vulnerability," a related issue to CVE-2009-2408. | |||||
CVE-2009-2417 | 2 Curl, Libcurl | 2 Libcurl, Libcurl | 2024-11-21 | 7.5 HIGH | N/A |
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | |||||
CVE-2009-2409 | 3 Gnu, Mozilla, Openssl | 4 Gnutls, Firefox, Nss and 1 more | 2024-11-21 | 5.1 MEDIUM | N/A |
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. | |||||
CVE-2009-2319 | 1 Axesstel | 1 Mv 410r | 2024-11-21 | 5.0 MEDIUM | N/A |
The default configuration of the Wi-Fi component on the Axesstel MV 410R does not use encryption, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. |