CVE-2009-0127

{"id": "CVE-2009-0127", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-01-15T17:30:00.577", "references": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://openwall.com/lists/oss-security/2009/01/12/4", "tags": ["Mailing List"], "source": "cve@mitre.org"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=479676", "tags": ["Exploit", "Issue Tracking"], "source": "cve@mitre.org"}, {"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://openwall.com/lists/oss-security/2009/01/12/4", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=479676", "tags": ["Exploit", "Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because \"these functions are not used anywhere in m2crypto."}, {"lang": "es", "value": "** CUESTIONADA ** M2Crypto no comprueba adecuadamente el valor de retorno de las funciones OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify y ECDSA_do_verify, lo que permitiria a atacantes remotos evitar la validacion del certificado en cadena a traves de una firma SSL/TLS malformada, una vulnerabilidad similar a CVE-2008-5077. NOTE: Un fabricante de Linux cuestiona la relevancia de este informe en el producto M2Crypto debido a que \"esas funciones no se utilizan en ningun sitio de m2crypto\"."}], "lastModified": "2025-04-09T00:30:58.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FDB41E1-9DB5-4F02-AAA3-8CB475EE073F"}], "operator": "OR"}]}], "vendorComments": [{"comment": "Red Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto.\n\nFurther details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1", "lastModified": "2009-01-21T00:00:00", "organization": "Red Hat"}], "sourceIdentifier": "cve@mitre.org"}