CVE-2009-3555

Loading...

General

Score:5.8/10.0
Severity:Medium
Category:Cryptography Error
Exploit:Available

Impact Metrics

Confidentiality:None
Integrity:Partial
Availability:Partial

Exploitability Metrics

Access Vector:Network
Access Complexity:Medium
Authentication:None

Relative vulnerabilities

CVE-2007-1858, CVE-2007-3385, CVE-2007-4476, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, CVE-2007-5269, CVE-2007-5333, CVE-2008-0085, CVE-2008-0086, CVE-2008-0106, CVE-2008-0107, CVE-2008-1382, CVE-2008-1678, CVE-2008-3825, CVE-2008-4316, CVE-2008-5077, CVE-2008-5416, CVE-2008-5515, CVE-2008-5907, CVE-2008-6218, CVE-2008-7270, CVE-2009-0040, CVE-2009-0590, CVE-2009-1105, CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1384, CVE-2009-1386, CVE-2009-1387, CVE-2009-1891, CVE-2009-2042, CVE-2009-2285, CVE-2009-2409, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3094, CVE-2009-3095, CVE-2009-3245, CVE-2009-3548, CVE-2009-3553, CVE-2009-3560, CVE-2009-3720, CVE-2009-3767, CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3867, CVE-2009-3869, CVE-2009-3871, CVE-2009-3874, CVE-2009-3875, CVE-2009-3910, CVE-2009-3951, CVE-2009-4027, CVE-2009-4307, CVE-2009-4308, CVE-2009-4355, CVE-2010-0003, CVE-2010-0007, CVE-2010-0008, CVE-2010-0036, CVE-2010-0037, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0205, CVE-2010-0291, CVE-2010-0307, CVE-2010-0395, CVE-2010-0405, CVE-2010-0408, CVE-2010-0410, CVE-2010-0415, CVE-2010-0425, CVE-2010-0433, CVE-2010-0434, CVE-2010-0437, CVE-2010-0462, CVE-2010-0538, CVE-2010-0539, CVE-2010-0622, CVE-2010-0624, CVE-2010-0727, CVE-2010-0730, CVE-2010-0731, CVE-2010-0734, CVE-2010-0740, CVE-2010-0826, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, CVE-2010-0886, CVE-2010-0887, CVE-2010-1084, CVE-2010-1085, CVE-2010-1086, CVE-2010-1087, CVE-2010-1088, CVE-2010-1157, CVE-2010-1173, CVE-2010-1187, CVE-2010-1188, CVE-2010-1321, CVE-2010-1436, CVE-2010-1437, CVE-2010-1641, CVE-2010-1646, CVE-2010-1826, CVE-2010-1827, CVE-2010-2066, CVE-2010-2070, CVE-2010-2224, CVE-2010-2226, CVE-2010-2227, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524, CVE-2010-2566, CVE-2010-2928, CVE-2010-2939, CVE-2010-3069, CVE-2010-3081, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-3864, CVE-2010-4180, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476, CVE-2011-0286, CVE-2011-3389, CVE-2012-2110, CVE-2012-4929, CVE-2013-3288, CVE-2014-3566

Published on 09/11/09 - Updated on 03/07/19

Description

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Category: Cryptography Error

CWE-310 (Cryptographic Issues)
Weaknesses in this category are related to the use of cryptography.

Security Notices

US National Vulnerability DatabaseCVE-2009-3555
Agence Nationale de la Sécurité des Systèmes d'Information CERTA-2009-AVI-482, CERTA-2009-AVI-528, CERTA-2009-AVI-529, CERTA-2010-AVI-022, CERTA-2010-AVI-112, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-211, CERTA-2010-AVI-217, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-314, CERTA-2010-AVI-317, CERTA-2010-AVI-365, CERTA-2010-AVI-461, CERTA-2010-AVI-499, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2010-AVI-583, CERTA-2010-AVI-627, CERTA-2011-AVI-132, CERTA-2011-AVI-221, CERTA-2011-AVI-238, CERTA-2011-AVI-253, CERTA-2011-AVI-524, CERTA-2012-AVI-023, CERTA-2012-AVI-186, CERTA-2012-AVI-219, CERTA-2012-AVI-241, CERTA-2012-AVI-395, CERTFR-2017-AVI-392
CentOS CESA-2009:1579, CESA-2009:1580, CESA-2010:0162, CESA-2010:0163, CESA-2010:0164, CESA-2010:0165, CESA-2010:0166, CESA-2010:0167, CESA-2010:0339, CESA-2010:0768
Debian DSA-2626-1, DSA-3253-1
Debian LTSDLA-400-1
Microsoft MS10-049
Mozilla MFSA2010-22
Oracle Linux ELSA-2010-0162, ELSA-2010-0163, ELSA-2010-0164, ELSA-2010-0165, ELSA-2010-0166, ELSA-2010-0167, ELSA-2012-0518
Redhat RHSA-2009:1579, RHSA-2009:1580, RHSA-2010:0011, RHSA-2010:0119, RHSA-2010:0130, RHSA-2010:0155, RHSA-2010:0162, RHSA-2010:0163, RHSA-2010:0164, RHSA-2010:0165, RHSA-2010:0166, RHSA-2010:0167, RHSA-2010:0337, RHSA-2010:0338, RHSA-2010:0339, RHSA-2010:0408, RHSA-2010:0440, RHSA-2010:0478, RHSA-2010:0768, RHSA-2010:0770, RHSA-2010:0786, RHSA-2010:0807, RHSA-2010:0865, RHSA-2010:0986, RHSA-2010:0987, RHSA-2011:0880
Renater 2009/VULN447, 2009/VULN450, 2009/VULN477, 2009/VULN496, 2009/VULN499, 2009/VULN547, 2009/VULN550, 2010/VULN021, 2010/VULN032, 2010/VULN041, 2010/VULN078, 2010/VULN137, 2010/VULN169, 2010/VULN172, 2010/VULN191, 2010/VULN196, 2010/VULN296, 2010/VULN325, 2010/VULN395, 2010/VULN421, 2010/VULN503, 2010/VULN519, 2010/VULN554, 2011/VULN106, 2011/VULN176, 2011/VULN335, 2013/VULN524

Exploits

Exploit-DBEDB-10071, EDB-10579
SecurityFocusBID-36935

Relative technologies

VendorProduct
apachehttp_server
canonicalubuntu_linux
debiandebian_linux
fedoraprojectfedora
gnugnutls
microsoftinternet_information_server
mozillanss
opensslopenssl

Share this vulnerability with:

Twitter Facebook LinkedIn Mail