OpenCVE

Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gnu	Gnutls
Mutt	Mutt
Openssl	Openssl

Configuration 1 [-]

AND

cpe:2.3:a:mutt:mutt:1.5.19:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a
http://dev.mutt.org/hg/mutt/rev/8f11dd00c770
http://www.openwall.com/lists/oss-security/2009/06/10/2
http://www.securityfocus.com/bid/35288
https://exchange.xforce.ibmcloud.com/vulnerabilities/51068
https://nvd.nist.gov/vuln/detail/CVE-2009-1390
https://www.cve.org/CVERecord?id=CVE-2009-1390
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00715.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-06-16T20:26:00

Updated: 2024-08-07T05:13:25.481Z

Reserved: 2009-04-23T00:00:00

Link: CVE-2009-1390

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-06-16T21:00:00.343

Modified: 2017-08-17T01:30:19.460

Link: CVE-2009-1390

Redhat

Severity : Moderate

Publid Date: 2009-05-27T00:00:00Z

Links: CVE-2009-1390 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-16T14:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "35288", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/35288"}, {"name": "FEDORA-2009-6465", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00715.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a"}, {"name": "mutt-x509-security-bypass(51068)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51068"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://dev.mutt.org/hg/mutt/rev/8f11dd00c770"}, {"name": "[oss-security] 20090610 Mutt 1.5.19 SSL chain verification flaw", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2009/06/10/2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T05:13:25.481Z"}, "title": "CVE Program Container", "references": [{"name": "35288", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/35288"}, {"name": "FEDORA-2009-6465", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00715.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a"}, {"name": "mutt-x509-security-bypass(51068)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51068"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://dev.mutt.org/hg/mutt/rev/8f11dd00c770"}, {"name": "[oss-security] 20090610 Mutt 1.5.19 SSL chain verification flaw", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2009/06/10/2"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2009-1390", "datePublished": "2009-06-16T20:26:00", "dateReserved": "2009-04-23T00:00:00", "dateUpdated": "2024-08-07T05:13:25.481Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mutt:mutt:1.5.19:*:*:*:*:*:*:*", "matchCriteriaId": "89C33B31-B9BC-4E43-8221-219380B4B682", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDA1CA86-1405-4C25-9BC2-5A5E6A76B911", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*", "matchCriteriaId": "2745A1E0-C586-4686-A5AC-C82ABE726D5C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack."}, {"lang": "es", "value": "Mutt v1.5.\u00ba9, enlazado contra (1) OpenSSL (mutt_ssl.c) o (2) GnuTLS (mutt_ssl_gnutls.c), permite conexiones cuando se acepta un certificado TLS en la cadena en vez de verificar esta \u00faltima, lo que permite a atacantes remotos suplantar servidores de confianda a trav\u00e9s de un ataque hombre-en-medio(Man-in-the-middle)."}], "id": "CVE-2009-1390", "lastModified": "2017-08-17T01:30:19.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-06-16T21:00:00.343", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "http://dev.mutt.org/hg/mutt/rev/64bf199c8d8a"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "http://dev.mutt.org/hg/mutt/rev/8f11dd00c770"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.openwall.com/lists/oss-security/2009/06/10/2"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/35288"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51068"}, {"source": "secalert@redhat.com", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00715.html"}], "sourceIdentifier": "secalert@redhat.com", "vendorComments": [{"comment": "Not vulnerable. This issue did not affect the versions of mutt as shipped with Red Hat Enterprise Linux 3, 4, or 5. Only mutt version 1.5.19 was affected by this flaw.", "lastModified": "2009-06-17T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}