PT-2010-2902 · Libesmtp · Libesmtp
Kees Cook
·
Publicado
2010-03-31
·
Atualizado
2010-05-22
·
CVE-2010-1194
CVSS v2.0
6.8
Média
| Vetor | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
libESMTP versions 1.0.3.r1 through 1.0.4
Description
The issue arises from the
match component function in smtp-tls.c, which incorrectly treats two strings as equal if one is a substring of the other. This allows remote attackers to spoof trusted certificates by crafting a subjectAltName.Recommendations
For libESMTP versions 1.0.3.r1 through 1.0.4, consider disabling the
match component function until a patch is available to prevent remote attackers from spoofing trusted certificates.Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Libesmtp