CVE-2009-2417

Name of the Vulnerable Software and Affected Versions cURL versions 7.4 through 7.19.5 cURL version 7.19.6 and earlier

Description The issue allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. This is due to the faulty handling of a '0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate when OpenSSL is used. The vulnerability can be exploited remotely, potentially leading to a breach of confidentiality, integrity, and availability of protected information.

Recommendations For cURL versions 7.4 through 7.19.5, update to a version later than 7.19.5 to resolve the issue. For cURL version 7.19.6 and earlier, update to a version later than 7.19.6. As a temporary workaround, consider disabling the use of OpenSSL in cURL until a patch is available. Restrict access to SSL servers to minimize the risk of exploitation.