CVE-2009-2511

2009-10-1410:30:00

CWE-189

[email protected]

web.nvd.nist.gov

cve

2009-2511

integer overflow

cryptoapi

windows

x.509

ssl

vulnerability

6.5 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.96 High

EPSS

Percentile

99.5%

JSON

Integer overflow in the CryptoAPI component in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows man-in-the-middle attackers to spoof arbitrary SSL servers and other entities via an X.509 certificate that has a malformed ASN.1 Object Identifier (OID) and was issued by a legitimate Certification Authority, aka “Integer Overflow in X.509 Object Identifiers Vulnerability.”

CPENameOperatorVersion
microsoft:windows_server_2008microsoft windows server 2008eq*
microsoft:windows_xpmicrosoft windows xpeq*
microsoft:windows_2000microsoft windows 2000eq*
microsoft:windows_7microsoft windows 7eq-
microsoft:windows_vistamicrosoft windows vistaeq*
microsoft:windows_server_2003microsoft windows server 2003eq*

CPE	Name	Operator	Version
microsoft:windows_server_2008	microsoft windows server 2008	eq	*
microsoft:windows_xp	microsoft windows xp	eq	*
microsoft:windows_2000	microsoft windows 2000	eq	*
microsoft:windows_7	microsoft windows 7	eq	-
microsoft:windows_vista	microsoft windows vista	eq	*
microsoft:windows_server_2003	microsoft windows server 2003	eq	*