Vulnerability Description
mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mutt | Mutt | >= 1.5.16, < 1.5.19 |
| Openssl | Openssl | All versions |
Related Weaknesses (CWE)
References
- http://dev.mutt.org/trac/ticket/3087PatchVendor Advisory
- http://marc.info/?l=oss-security&m=125198917018936&w=2Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2009/10/26/1Mailing ListThird Party Advisory
- http://dev.mutt.org/trac/ticket/3087PatchVendor Advisory
- http://marc.info/?l=oss-security&m=125198917018936&w=2Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2009/10/26/1Mailing ListThird Party Advisory
FAQ
What is CVE-2009-3766?
CVE-2009-3766 is a vulnerability with a CVSS score of 6.8 (MEDIUM). mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-t...
How severe is CVE-2009-3766?
CVE-2009-3766 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3766?
Check the references section above for vendor advisories and patch information. Affected products include: Mutt Mutt, Openssl Openssl.