Back to search
CVE-2010-2074
Published: Jun 16, 2010
Modified: Aug 7, 2024
PUBLISHED
Description
istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
[oss-security] 20100614 CVE Request: w3m does not check null bytes CN/subjAltName
mailing-list
x_refsource_MLIST
40134
third-party-advisory
x_refsource_SECUNIA
65538
vdb-entry
x_refsource_OSVDB
1024252
vdb-entry
x_refsource_SECTRACK
ADV-2010-1467
vdb-entry
x_refsource_VUPEN
ADV-2010-1879
vdb-entry
x_refsource_VUPEN
ADV-2010-1928
vdb-entry
x_refsource_VUPEN
SUSE-SR:2010:014
vendor-advisory
x_refsource_SUSE
RHSA-2010:0565
vendor-advisory
x_refsource_REDHAT
40837
vdb-entry
x_refsource_BID
40733
third-party-advisory
x_refsource_SECUNIA
FEDORA-2010-10369
vendor-advisory
x_refsource_FEDORA
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now