{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/2623?format=json","vulnerability_id":"VCID-qtgw-bjrx-sug7","summary":"IOActive security researcher Dan Kaminsky reported a\nmismatch in the treatment of domain names in SSL certificates between SSL\nclients and the Certificate Authorities (CA) which issue server certificates.\nIn particular, if a malicious person requested a certificate for a host name\nwith an invalid null character in it most CAs would issue the\ncertificate if the requester owned the domain specified after the null, while\nmost SSL clients (browsers) ignored that part of the name and used the\nunvalidated part in front of the null. This made it possible for attackers to\nobtain certificates that would function for any site they wished to target.\nThese certificates could be used to intercept and potentially alter encrypted\ncommunication between the client and a server such as sensitive bank\naccount transactions.This vulnerability was independently reported to us by researcher\nMoxie Marlinspike who also noted that since Firefox\nrelies on SSL to protect the integrity of security updates this attack\ncould be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability\nResearch team for coordinating a multiple-vendor response to this problem.","aliases":[{"alias":"CVE-2009-2408"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1121?format=json","purl":"pkg:mozilla/Firefox@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/1111?format=json","purl":"pkg:mozilla/Firefox@3.5.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@3.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/1133?format=json","purl":"pkg:mozilla/NSS@3.12.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/NSS@3.12.3"},{"url":"http://public2.vulnerablecode.io/api/packages/1132?format=json","purl":"pkg:mozilla/SeaMonkey@1.1.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/SeaMonkey@1.1.18"}],"affected_packages":[],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408","reference_id":"CVE-2009-2408","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-42","reference_id":"mfsa2009-42","reference_type":"","scores":[{"value":"critical","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2009-42"}],"weaknesses":[],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qtgw-bjrx-sug7"}