VYPR
Medium severity5.9NVD Advisory· Published Jul 30, 2009· Updated Jun 16, 2026

CVE-2009-2408

CVE-2009-2408

Description

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

15
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <3.0.13
    • (no CPE)range: <3.0.13
  • cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
    Range: <3.12.3
  • cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*range: <1.1.18
    • (no CPE)range: <1.1.18
  • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <2.0.0.23
    • (no CPE)range: <2.0.0.23
  • cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*+ 2 more
    • cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
    • cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:*:*:*:*:*:*:*:*
    Range: >=10.3,<=11.1
  • cpe:2.3:o:suse:linux_enterprise:10.0:-:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:suse:linux_enterprise:10.0:-:*:*:*:*:*:*
    • cpe:2.3:o:suse:linux_enterprise:11.0:-:*:*:*:*:*:*
  • cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*

Patches

Vulnerability mechanics

References

30

News mentions

0

No linked articles in our index yet.