Lucene search

[email protected]NVD:CVE-2009-4034

HistoryDec 15, 2009 - 6:30 p.m.

CVE-2009-4034

2009-12-1518:30:01

CWE-310

[email protected]

web.nvd.nist.gov

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

6.3 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.8%

JSON

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a ‘\0’ character in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Affected configurations

NVD

Node

postgresqlpostgresqlMatch7.4.1

postgresqlpostgresqlMatch7.4.2

postgresqlpostgresqlMatch7.4.3

postgresqlpostgresqlMatch7.4.4

postgresqlpostgresqlMatch7.4.5

postgresqlpostgresqlMatch7.4.6

postgresqlpostgresqlMatch7.4.7

postgresqlpostgresqlMatch7.4.8

postgresqlpostgresqlMatch7.4.9

postgresqlpostgresqlMatch7.4.10

postgresqlpostgresqlMatch7.4.11

postgresqlpostgresqlMatch7.4.12

postgresqlpostgresqlMatch7.4.13

postgresqlpostgresqlMatch7.4.14

postgresqlpostgresqlMatch7.4.15

postgresqlpostgresqlMatch7.4.16

postgresqlpostgresqlMatch7.4.17

postgresqlpostgresqlMatch7.4.18

postgresqlpostgresqlMatch7.4.19

postgresqlpostgresqlMatch7.4.20

postgresqlpostgresqlMatch7.4.21

postgresqlpostgresqlMatch7.4.22

postgresqlpostgresqlMatch7.4.23

postgresqlpostgresqlMatch7.4.24

postgresqlpostgresqlMatch7.4.25

postgresqlpostgresqlMatch7.4.26

postgresqlpostgresqlMatch8.0.0

postgresqlpostgresqlMatch8.0.1

postgresqlpostgresqlMatch8.0.2

postgresqlpostgresqlMatch8.0.3

postgresqlpostgresqlMatch8.0.4

postgresqlpostgresqlMatch8.0.5

postgresqlpostgresqlMatch8.0.6

postgresqlpostgresqlMatch8.0.7

postgresqlpostgresqlMatch8.0.8

postgresqlpostgresqlMatch8.0.9

postgresqlpostgresqlMatch8.0.10

postgresqlpostgresqlMatch8.0.11

postgresqlpostgresqlMatch8.0.12

postgresqlpostgresqlMatch8.0.13

postgresqlpostgresqlMatch8.0.14

postgresqlpostgresqlMatch8.0.15

postgresqlpostgresqlMatch8.0.16

postgresqlpostgresqlMatch8.0.17

postgresqlpostgresqlMatch8.0.18

postgresqlpostgresqlMatch8.0.19

postgresqlpostgresqlMatch8.0.20

postgresqlpostgresqlMatch8.0.21

postgresqlpostgresqlMatch8.0.22

postgresqlpostgresqlMatch8.1.0

postgresqlpostgresqlMatch8.1.1

postgresqlpostgresqlMatch8.1.2

postgresqlpostgresqlMatch8.1.3

postgresqlpostgresqlMatch8.1.4

postgresqlpostgresqlMatch8.1.5

postgresqlpostgresqlMatch8.1.6

postgresqlpostgresqlMatch8.1.7

postgresqlpostgresqlMatch8.1.8

postgresqlpostgresqlMatch8.1.9

postgresqlpostgresqlMatch8.1.10

postgresqlpostgresqlMatch8.1.11

postgresqlpostgresqlMatch8.1.12

postgresqlpostgresqlMatch8.1.13

postgresqlpostgresqlMatch8.1.14

postgresqlpostgresqlMatch8.1.15

postgresqlpostgresqlMatch8.1.16

postgresqlpostgresqlMatch8.1.17

postgresqlpostgresqlMatch8.1.18

postgresqlpostgresqlMatch8.2

postgresqlpostgresqlMatch8.2.1

postgresqlpostgresqlMatch8.2.2

postgresqlpostgresqlMatch8.2.3

postgresqlpostgresqlMatch8.2.4

postgresqlpostgresqlMatch8.2.5

postgresqlpostgresqlMatch8.2.6

postgresqlpostgresqlMatch8.2.7

postgresqlpostgresqlMatch8.2.8

postgresqlpostgresqlMatch8.2.9

postgresqlpostgresqlMatch8.2.10

postgresqlpostgresqlMatch8.2.11

postgresqlpostgresqlMatch8.2.12

postgresqlpostgresqlMatch8.2.13

postgresqlpostgresqlMatch8.2.14

postgresqlpostgresqlMatch8.3.1

postgresqlpostgresqlMatch8.3.2

postgresqlpostgresqlMatch8.3.3

postgresqlpostgresqlMatch8.3.4

postgresqlpostgresqlMatch8.3.5

postgresqlpostgresqlMatch8.3.6

postgresqlpostgresqlMatch8.3.7

postgresqlpostgresqlMatch8.3.8

postgresqlpostgresqlMatch8.4.1

References

lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html

marc.info/?l=bugtraq&m=134124585221119&w=2

osvdb.org/61038

secunia.com/advisories/37663

wiki.rpath.com/wiki/Advisories:rPSA-2010-0012

www.mandriva.com/security/advisories?name=MDVSA-2009:333

www.postgresql.org/docs/current/static/release-7-4-27.html

www.postgresql.org/docs/current/static/release-8-0-23.html

www.postgresql.org/docs/current/static/release-8-1-19.html

www.postgresql.org/docs/current/static/release-8-2-15.html

www.postgresql.org/docs/current/static/release-8-3-9.html

www.postgresql.org/docs/current/static/release-8-4-2.html

www.postgresql.org/support/security.html

www.securityfocus.com/archive/1/509917/100/0/threaded

www.securityfocus.com/bid/37334

www.securitytracker.com/id?1023325

www.vupen.com/english/advisories/2009/3519

www.redhat.com/archives/fedora-package-announce/2009-December/msg01035.html

www.redhat.com/archives/fedora-package-announce/2009-December/msg01056.html

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

6.3 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.8%

JSON

Related for NVD:CVE-2009-4034

prion21 cvelist15 cve17 ubuntucve9 nessus38 openvas46 exploitdb1 securityvulns6 threatpost1 nvd17 veracode1 seebug4 freebsd1 debiancve10 mozilla1 postgresql1 f56 amazon1 debian2 aix1