// For flags

CVE-2009-0591

 

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.

La función CMS_verify en OpenSSL v0.9.8h hasta v0.9.8j, cuando se ha habilitado CMS, no maneja adecuadamente los errores asociados con atributos firmados malformados, permitiendo a atacantes remotos rechazar una firma que originalmente aparentaba ser válida pero que realmente será inválida.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-02-13 CVE Reserved
  • 2009-03-27 CVE Published
  • 2024-08-07 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
References (28)
URL Tag Source
http://secunia.com/advisories/34666 Third Party Advisory
http://secunia.com/advisories/35065 Third Party Advisory
http://secunia.com/advisories/35380 Third Party Advisory
http://secunia.com/advisories/35729 Third Party Advisory
http://secunia.com/advisories/36701 Third Party Advisory
http://secunia.com/advisories/42724 Third Party Advisory
http://secunia.com/advisories/42733 Third Party Advisory
http://securitytracker.com/id?1021907 Vdb Entry
http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847 X_refsource_confirm
http://support.apple.com/kb/HT3865 X_refsource_confirm
http://www.osvdb.org/52865 Vdb Entry
http://www.php.net/archive/2009.php#id2009-04-08-1 X_refsource_confirm
http://www.securityfocus.com/bid/34256 Vdb Entry
http://www.vupen.com/english/advisories/2009/1020 Vdb Entry
http://www.vupen.com/english/advisories/2009/1175 Vdb Entry
http://www.vupen.com/english/advisories/2009/1548 Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/49432 Vdb Entry
https://kb.bluecoat.com/index?page=content&id=SA50 X_refsource_confirm
URL Date SRC
URL Date SRC
URL Date SRC
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc 2017-08-17
http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html 2017-08-17
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html 2017-08-17
http://marc.info/?l=bugtraq&m=124464882609472&w=2 2017-08-17
http://marc.info/?l=bugtraq&m=127678688104458&w=2 2017-08-17
http://secunia.com/advisories/34411 2017-08-17
http://secunia.com/advisories/34460 2017-08-17
http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html 2017-08-17
http://www.openssl.org/news/secadv_20090325.txt 2017-08-17
http://www.vupen.com/english/advisories/2009/0850 2017-08-17
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 0.9.8h
Search vendor "Openssl" for product "Openssl" and version "0.9.8h"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 0.9.8i
Search vendor "Openssl" for product "Openssl" and version "0.9.8i"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 0.9.8j
Search vendor "Openssl" for product "Openssl" and version "0.9.8j"
-
Affected