CVE-2009-3555

Loading...

Général

Score :5.8/10.0
Sévérité :Moyenne
Catégorie :Erreur de cryptographie
Exploit :Disponible

Métriques d'impact

Confidentialité :Aucun
Intégrité :Partiel
Disponibilité :Partiel

Métriques d'exploitabilité

Vecteur d'Accès :Réseau
Complexité d'Accès :Moyenne
Authentification :Aucune

Vulnérabilités associées

CVE-2007-1858, CVE-2007-3385, CVE-2007-5333, CVE-2008-0085, CVE-2008-0086, CVE-2008-0106, CVE-2008-0107, CVE-2008-1678, CVE-2008-3825, CVE-2008-4316, CVE-2008-5077, CVE-2008-5416, CVE-2008-5515, CVE-2008-7270, CVE-2009-0590, CVE-2009-1105, CVE-2009-1384, CVE-2009-2285, CVE-2009-2409, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3094, CVE-2009-3095, CVE-2009-3245, CVE-2009-3548, CVE-2009-3553, CVE-2009-3767, CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3910, CVE-2009-3951, CVE-2009-4308, CVE-2009-4355, CVE-2010-0003, CVE-2010-0007, CVE-2010-0008, CVE-2010-0036, CVE-2010-0037, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0291, CVE-2010-0307, CVE-2010-0395, CVE-2010-0405, CVE-2010-0408, CVE-2010-0410, CVE-2010-0415, CVE-2010-0425, CVE-2010-0433, CVE-2010-0434, CVE-2010-0437, CVE-2010-0462, CVE-2010-0538, CVE-2010-0539, CVE-2010-0622, CVE-2010-0730, CVE-2010-0734, CVE-2010-0740, CVE-2010-0826, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, CVE-2010-0886, CVE-2010-0887, CVE-2010-1084, CVE-2010-1085, CVE-2010-1086, CVE-2010-1087, CVE-2010-1088, CVE-2010-1157, CVE-2010-1173, CVE-2010-1187, CVE-2010-1321, CVE-2010-1436, CVE-2010-1437, CVE-2010-1641, CVE-2010-1646, CVE-2010-1826, CVE-2010-1827, CVE-2010-2066, CVE-2010-2070, CVE-2010-2226, CVE-2010-2227, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524, CVE-2010-2566, CVE-2010-2928, CVE-2010-2939, CVE-2010-3069, CVE-2010-3081, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-3864, CVE-2010-4180, CVE-2011-0286, CVE-2011-3389, CVE-2012-2110, CVE-2012-4929, CVE-2013-3288, CVE-2014-3566

Publiée le 09/11/09 - Mise à jour le 03/07/19

Description

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Catégorie : Erreur de cryptographie

CWE-310 (Problèmes de cryptographie)
Les faiblesses de cette catégorie sont liées à l'utilisation de la cryptographie.

Avis de sécurité

US National Vulnerability DatabaseCVE-2009-3555
Agence Nationale de la Sécurité des Systèmes d'Information CERTA-2009-AVI-482, CERTA-2009-AVI-528, CERTA-2009-AVI-529, CERTA-2010-AVI-022, CERTA-2010-AVI-112, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-211, CERTA-2010-AVI-217, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-314, CERTA-2010-AVI-317, CERTA-2010-AVI-365, CERTA-2010-AVI-461, CERTA-2010-AVI-499, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2010-AVI-583, CERTA-2010-AVI-627, CERTA-2011-AVI-132, CERTA-2011-AVI-221, CERTA-2011-AVI-238, CERTA-2011-AVI-253, CERTA-2011-AVI-524, CERTA-2012-AVI-023, CERTA-2012-AVI-186, CERTA-2012-AVI-219, CERTA-2012-AVI-241, CERTA-2012-AVI-395, CERTFR-2017-AVI-392
CentOS CESA-2009:1579, CESA-2010:0162, CESA-2010:0164, CESA-2010:0165, CESA-2010:0166, CESA-2010:0339, CESA-2010:0768
Debian DSA-2626-1, DSA-3253-1
Debian LTSDLA-400-1
Microsoft MS10-049
Mozilla MFSA2010-22
Oracle Linux ELSA-2012-0518
Redhat RHSA-2009:1579, RHSA-2010:0130, RHSA-2010:0155, RHSA-2010:0162, RHSA-2010:0164, RHSA-2010:0165, RHSA-2010:0166, RHSA-2010:0337, RHSA-2010:0338, RHSA-2010:0339, RHSA-2010:0768, RHSA-2010:0770, RHSA-2010:0786, RHSA-2010:0807, RHSA-2010:0865, RHSA-2010:0987
Renater 2009/VULN447, 2009/VULN450, 2009/VULN477, 2009/VULN496, 2009/VULN499, 2009/VULN547, 2009/VULN550, 2010/VULN021, 2010/VULN032, 2010/VULN041, 2010/VULN078, 2010/VULN137, 2010/VULN169, 2010/VULN172, 2010/VULN191, 2010/VULN196, 2010/VULN296, 2010/VULN325, 2010/VULN395, 2010/VULN421, 2010/VULN503, 2010/VULN519, 2010/VULN554, 2011/VULN106, 2011/VULN176, 2011/VULN335, 2013/VULN524

Exploits

Exploit-DBEDB-10071, EDB-10579
SecurityFocusBID-36935

Technologies associées

FournisseurProduit
apachehttp_server
canonicalubuntu_linux
debiandebian_linux
fedoraprojectfedora
gnugnutls
microsoftinternet_information_server
mozillanss
opensslopenssl

Partagez cette vulnérabilité avec :

Twitter Facebook LinkedIn Mail