CVE-2008-2809

Current Description

Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.

Basic Data

PublishedJuly 08, 2008
Last ModifiedOctober 11, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-20
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:H/Au:N/C:N/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityHIGH
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score4.0
SeverityMEDIUM
Exploitability Score4.9
Impact Score4.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationMozillaFirefox2.0.0.1*******
    2.3ApplicationMozillaFirefox2.0.0.2*******
    2.3ApplicationMozillaFirefox2.0.0.3*******
    2.3ApplicationMozillaFirefox2.0.0.4*******
    2.3ApplicationMozillaFirefox2.0.0.5*******
    2.3ApplicationMozillaFirefox2.0.0.6*******
    2.3ApplicationMozillaFirefox2.0.0.7*******
    2.3ApplicationMozillaFirefox2.0.0.8*******
    2.3ApplicationMozillaFirefox2.0.0.9*******
    2.3ApplicationMozillaFirefox2.0.0.10*******
    2.3ApplicationMozillaFirefox2.0.0.11*******
    2.3ApplicationMozillaFirefox2.0.0.12*******
    2.3ApplicationMozillaFirefox2.0.0.13*******
    2.3ApplicationMozillaFirefox2.0.0.14*******
    2.3ApplicationMozillaGeckb*m8******1.9
    2.3ApplicationMozillaSeamonkey********1.0.9
    2.3ApplicationMozillaSeamonkey1.1.5*******
    2.3ApplicationNetscapeNavigator9.0*******

Vulnerable Software List

VendorProductVersions
Mozilla Firefox 2.0.0.1, 2.0.0.10, 2.0.0.11, 2.0.0.12, 2.0.0.13, 2.0.0.14, 2.0.0.2, 2.0.0.3, 2.0.0.4, 2.0.0.5, 2.0.0.6, 2.0.0.7, 2.0.0.8, 2.0.0.9
Mozilla Seamonkey *, 1.1.5
Mozilla Geckb *
Netscape Navigator 9.0

References

NameSourceURLTags
SUSE-SA:2008:034http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00004.htmlSUSE
http://nils.toedtmann.net/pub/subjectAltName.txthttp://nils.toedtmann.net/pub/subjectAltName.txtMISC
RHSA-2008:0616http://rhn.redhat.com/errata/RHSA-2008-0616.htmlREDHAT
30878http://secunia.com/advisories/30878SECUNIA
30898http://secunia.com/advisories/30898SECUNIA
30903http://secunia.com/advisories/30903SECUNIA
30911http://secunia.com/advisories/30911SECUNIAVendor Advisory
30949http://secunia.com/advisories/30949SECUNIA
31005http://secunia.com/advisories/31005SECUNIA
31008http://secunia.com/advisories/31008SECUNIA
31021http://secunia.com/advisories/31021SECUNIA
31023http://secunia.com/advisories/31023SECUNIA
31069http://secunia.com/advisories/31069SECUNIA
31076http://secunia.com/advisories/31076SECUNIA
31183http://secunia.com/advisories/31183SECUNIA
31195http://secunia.com/advisories/31195SECUNIA
31220http://secunia.com/advisories/31220SECUNIA
31253http://secunia.com/advisories/31253SECUNIA
31286http://secunia.com/advisories/31286SECUNIA
31377http://secunia.com/advisories/31377SECUNIA
31403http://secunia.com/advisories/31403SECUNIA
33433http://secunia.com/advisories/33433SECUNIA
34501http://secunia.com/advisories/34501SECUNIA
GLSA-200808-03http://security.gentoo.org/glsa/glsa-200808-03.xmlGENTOO
3498http://securityreason.com/securityalert/3498SREASON
1018979http://securitytracker.com/id?1018979SECTRACK
SSA:2008-191-03http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.383152SLACKWARE
SSA:2008-191http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.384911SLACKWARE
SSA:2008-210-05http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.410484SLACKWARE
256408http://sunsolve.sun.com/search/document.do?assetkey=1-26-256408-1SUNALERT
http://wiki.rpath.com/Advisories:rPSA-2008-0216http://wiki.rpath.com/Advisories:rPSA-2008-0216CONFIRM
DSA-1607http://www.debian.org/security/2008/dsa-1607DEBIAN
DSA-1615http://www.debian.org/security/2008/dsa-1615DEBIAN
DSA-1621http://www.debian.org/security/2008/dsa-1621DEBIAN
DSA-1697http://www.debian.org/security/2009/dsa-1697DEBIAN
MDVSA-2008:136http://www.mandriva.com/security/advisories?name=MDVSA-2008:136MANDRIVA
MDVSA-2008:155http://www.mandriva.com/security/advisories?name=MDVSA-2008:155MANDRIVA
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15CONFIRM
http://www.mozilla.org/security/announce/2008/mfsa2008-31.htmlhttp://www.mozilla.org/security/announce/2008/mfsa2008-31.htmlCONFIRM
RHSA-2008:0547http://www.redhat.com/support/errata/RHSA-2008-0547.htmlREDHAT
RHSA-2008:0549http://www.redhat.com/support/errata/RHSA-2008-0549.htmlREDHAT
RHSA-2008:0569http://www.redhat.com/support/errata/RHSA-2008-0569.htmlREDHAT
20071118 Certificate spoofing issue with Mozilla, Konqueror, Safari 2http://www.securityfocus.com/archive/1/483929/100/100/threadedBUGTRAQ
20071118 Re: Certificate spoofing issue with Mozilla, Konqueror, Safari 2http://www.securityfocus.com/archive/1/483937/100/100/threadedBUGTRAQ
20071118 RE: Certificate spoofing issue with Mozilla, Konqueror, Safari 2http://www.securityfocus.com/archive/1/483960/100/100/threadedBUGTRAQ
20080708 rPSA-2008-0216-1 firefoxhttp://www.securityfocus.com/archive/1/494080/100/0/threadedBUGTRAQ
30038http://www.securityfocus.com/bid/30038BID
1020419http://www.securitytracker.com/id?1020419SECTRACK
USN-619-1http://www.ubuntu.com/usn/usn-619-1UBUNTU
USN-629-1http://www.ubuntu.com/usn/usn-629-1UBUNTU
ADV-2008-1993http://www.vupen.com/english/advisories/2008/1993/referencesVUPEN
ADV-2009-0977http://www.vupen.com/english/advisories/2009/0977VUPEN
https://bugzilla.mozilla.org/show_bug.cgi?id=240261https://bugzilla.mozilla.org/show_bug.cgi?id=240261CONFIRM
https://bugzilla.mozilla.org/show_bug.cgi?id=327181https://bugzilla.mozilla.org/show_bug.cgi?id=327181CONFIRM
https://bugzilla.mozilla.org/show_bug.cgi?id=402347https://bugzilla.mozilla.org/show_bug.cgi?id=402347CONFIRM
mozilla-altnames-spoofing(43524)https://exchange.xforce.ibmcloud.com/vulnerabilities/43524XF
https://issues.rpath.com/browse/RPL-2646https://issues.rpath.com/browse/RPL-2646CONFIRM
oval:org.mitre.oval:def:10205https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10205OVAL
FEDORA-2008-6737https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00125.htmlFEDORA
FEDORA-2008-6706https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00144.htmlFEDORA
FEDORA-2008-6127https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00207.htmlFEDORA
FEDORA-2008-6193https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00288.htmlFEDORA
FEDORA-2008-6196https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00295.htmlFEDORA