Unrated severityNVD Advisory· Published Aug 14, 2009· Updated Apr 23, 2026
CVE-2009-2417
CVE-2009-2417
Description
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Affected products
74cpe:2.3:a:curl:libcurl:7.4.1:*:*:*:*:*:*:*+ 59 more
- cpe:2.3:a:curl:libcurl:7.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.8:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.4:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.6:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.7:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.10.8:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.13:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.14:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.17.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.17.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.3:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.4:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.5:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.18.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.18.1:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.18.2:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.0:*:*:*:*:*:*:*
- cpe:2.3:a:curl:libcurl:7.19.1:*:*:*:*:*:*:*
cpe:2.3:a:libcurl:libcurl:7.12:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:libcurl:libcurl:7.12:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.13:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.14:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:libcurl:libcurl:7.16.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
28- curl.haxx.se/CVE-2009-2417/curl-7.10.6-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.11.0-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.12.1-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.15.1-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.15.5-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.16.4-CVE-2009-2417.patchnvdPatchVendor Advisory
- curl.haxx.se/CVE-2009-2417/curl-7.18.1-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.19.0-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/CVE-2009-2417/curl-7.19.5-CVE-2009-2417.patchnvdPatch
- curl.haxx.se/docs/adv_20090812.txtnvdVendor Advisory
- secunia.com/advisories/36238nvdVendor Advisory
- www.vupen.com/english/advisories/2009/2263nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlnvd
- secunia.com/advisories/36475nvd
- secunia.com/advisories/37471nvd
- secunia.com/advisories/45047nvd
- shibboleth.internet2.edu/secadv/secadv_20090817.txtnvd
- support.apple.com/kb/HT4077nvd
- wiki.rpath.com/Advisories:rPSA-2009-0124nvd
- www.securityfocus.com/archive/1/506055/100/0/threadednvd
- www.securityfocus.com/archive/1/507985/100/0/threadednvd
- www.securityfocus.com/bid/36032nvd
- www.ubuntu.com/usn/USN-1158-1nvd
- www.vmware.com/security/advisories/VMSA-2009-0016.htmlnvd
- www.vupen.com/english/advisories/2009/3316nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/52405nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10114nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8542nvd
News mentions
0No linked articles in our index yet.