CVE-2009-3555

CVSS V2 Medium 5.8 CVSS V3 None

Description

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Overview

CVE ID
CVE-2009-3555

Assigner
secalert@redhat.com

Vulnerability Status
Modified

Published Version
2009-11-09T17:30:00

Last Modified Date
2023-02-13T02:20:27

Weakness Enumerations

CWE	URL
CWE-295	http://cwe.mitre.org/data/definitions/295.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:apache:http_server::::::::	1	OR		2.2.14
cpe:2.3:a:gnu:gnutls::::::::	1	OR		2.8.5
cpe:2.3:a:mozilla:nss::::::::	1	OR		3.12.4
cpe:2.3:a:openssl:openssl::::::::	1	OR		0.9.8k
cpe:2.3:a:openssl:openssl:1.0::openvms:::::	1	OR
cpe:2.3:o:canonical:ubuntu_linux:8.04::::lts:::	1	OR
cpe:2.3:o:canonical:ubuntu_linux:8.10:::::::*	1	OR
cpe:2.3:o:canonical:ubuntu_linux:9.04:::::::*	1	OR
cpe:2.3:o:canonical:ubuntu_linux:9.10:::::::*	1	OR
cpe:2.3:o:canonical:ubuntu_linux:10.04::::lts:::	1	OR
cpe:2.3:o:canonical:ubuntu_linux:10.10:::::::*	1	OR
cpe:2.3:o:debian:debian_linux:4.0:::::::*	1	OR
cpe:2.3:o:debian:debian_linux:5.0:::::::*	1	OR
cpe:2.3:o:debian:debian_linux:6.0:::::::*	1	OR
cpe:2.3:o:debian:debian_linux:7.0:::::::*	1	OR
cpe:2.3:o:debian:debian_linux:8.0:::::::*	1	OR
cpe:2.3:o:fedoraproject:fedora:11:::::::*	1	OR
cpe:2.3:o:fedoraproject:fedora:12:::::::*	1	OR
cpe:2.3:o:fedoraproject:fedora:13:::::::*	1	OR
cpe:2.3:o:fedoraproject:fedora:14:::::::*	1	OR
cpe:2.3:a:f5:nginx::::::::	1	OR	0.1.0	0.8.22

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:N/C:N/I:P/A:P

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
NONE

Confidentiality Impact
NONE

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
5.8

Severity
MEDIUM

Exploitability Score
8.6

Impact Score
4.9

References

Reference URL	Reference Tags
http://www.tombom.co.uk/blog/?p=85	Broken Link
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html	Third Party Advisory
http://secunia.com/advisories/37292	Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=526689	Issue Tracking Third Party Advisory
http://extendedsubset.com/?p=8	Broken Link
http://www.ietf.org/mail-archive/web/tls/current/msg03928.html	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3165	Third Party Advisory
http://marc.info/?l=cryptography&m=125752275331877&w=2	Third Party Advisory
http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3164	Third Party Advisory
http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2	Third Party Advisory
http://kbase.redhat.com/faq/docs/DOC-20491	Third Party Advisory
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt	Third Party Advisory
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html	Third Party Advisory
http://www.securityfocus.com/bid/36935	Exploit Patch Third Party Advisory VDB Entry
http://www.betanews.com/article/1257452450	Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/11/06/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/11/05/3	Mailing List Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=533125	Issue Tracking Third Party Advisory
http://www.links.org/?p=780	Third Party Advisory
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html	Third Party Advisory
http://secunia.com/advisories/37291	Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/11/05/5	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/11/07/3	Mailing List Third Party Advisory
http://extendedsubset.com/Renegotiating_TLS.pdf	Broken Link
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml	Third Party Advisory
http://www.securitytracker.com/id?1023163	Third Party Advisory VDB Entry
http://www.kb.cert.org/vuls/id/120541	Third Party Advisory US Government Resource
http://www.links.org/?p=789	Third Party Advisory
http://seclists.org/fulldisclosure/2009/Nov/139	Mailing List Third Party Advisory
http://blogs.iss.net/archive/sslmitmiscsrf.html	Broken Link
http://www.links.org/?p=786	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3220	Third Party Advisory
http://support.citrix.com/article/CTX123359	Third Party Advisory
http://secunia.com/advisories/37320	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3205	Third Party Advisory
http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html	Third Party Advisory
http://securitytracker.com/id?1023148	Third Party Advisory VDB Entry
http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1	Broken Link
http://www.debian.org/security/2009/dsa-1934	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html	Third Party Advisory
http://sysoev.ru/nginx/patch.cve-2009-3555.txt	Broken Link
http://www.openwall.com/lists/oss-security/2009/11/20/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/11/23/10	Mailing List Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2009-0155	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html	Third Party Advisory
http://www.securitytracker.com/id?1023272	Third Party Advisory VDB Entry
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html	Third Party Advisory
http://www.securitytracker.com/id?1023271	Third Party Advisory VDB Entry
http://openbsd.org/errata45.html#010_openssl	Third Party Advisory
http://www.securitytracker.com/id?1023207	Third Party Advisory VDB Entry
http://secunia.com/advisories/37656	Third Party Advisory
http://www.securitytracker.com/id?1023211	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023218	Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/3353	Third Party Advisory
http://www.securitytracker.com/id?1023209	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023273	Third Party Advisory VDB Entry
http://security.gentoo.org/glsa/glsa-200912-01.xml	Third Party Advisory
http://www.securitytracker.com/id?1023215	Third Party Advisory VDB Entry
http://www.ingate.com/Relnote.php?ver=481	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html	Third Party Advisory
http://secunia.com/advisories/37504	Third Party Advisory
http://www.securitytracker.com/id?1023208	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023212	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023243	Third Party Advisory VDB Entry
https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html	Third Party Advisory
http://clicky.me/tlsvuln	Exploit Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html	Third Party Advisory
http://www.securitytracker.com/id?1023204	Third Party Advisory VDB Entry
http://secunia.com/advisories/37501	Third Party Advisory
http://www.securitytracker.com/id?1023217	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023210	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023274	Third Party Advisory VDB Entry
http://secunia.com/advisories/37675	Third Party Advisory
http://www.securitytracker.com/id?1023205	Third Party Advisory VDB Entry
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686	Broken Link
http://www.securitytracker.com/id?1023275	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023216	Third Party Advisory VDB Entry
http://openbsd.org/errata46.html#004_openssl	Third Party Advisory
http://www.securitytracker.com/id?1023270	Third Party Advisory VDB Entry
http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html	Third Party Advisory
http://www.securitytracker.com/id?1023206	Third Party Advisory VDB Entry
http://osvdb.org/60521	Broken Link
http://www.securitytracker.com/id?1023219	Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/3354	Third Party Advisory
http://secunia.com/advisories/37604	Third Party Advisory
http://secunia.com/advisories/37859	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3484	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3587	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg24025312	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html	Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html	Third Party Advisory
http://secunia.com/advisories/37640	Third Party Advisory
http://osvdb.org/60972	Broken Link
http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only	Third Party Advisory
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c	Broken Link
http://www.vupen.com/english/advisories/2009/3521	Third Party Advisory
http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html	Broken Link
http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html	Mailing List Third Party Advisory
http://secunia.com/advisories/38056	Third Party Advisory
http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES	Broken Link
http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released	Broken Link
http://support.apple.com/kb/HT4004	Third Party Advisory
http://secunia.com/advisories/38241	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0173	Third Party Advisory
http://secunia.com/advisories/38484	Third Party Advisory
http://osvdb.org/62210	Broken Link
http://www.arubanetworks.com/support/alerts/aid-020810.txt	Broken Link
http://www.vupen.com/english/advisories/2010/0086	Third Party Advisory
http://secunia.com/advisories/38003	Third Party Advisory
http://support.avaya.com/css/P8/documents/100070150	Third Party Advisory
http://www.securitytracker.com/id?1023428	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023427	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023411	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023426	Third Party Advisory VDB Entry
http://www.redhat.com/support/errata/RHSA-2010-0119.html	Third Party Advisory
http://secunia.com/advisories/38687	Third Party Advisory
http://secunia.com/advisories/38020	Third Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1	Broken Link
http://sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1	Broken Link
http://www.redhat.com/support/errata/RHSA-2010-0167.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0155.html	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0748	Third Party Advisory
http://secunia.com/advisories/39243	Third Party Advisory
http://secunia.com/advisories/39136	Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=545755	Issue Tracking Third Party Advisory
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html	Third Party Advisory
http://secunia.com/advisories/39242	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0338.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0339.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0337.html	Third Party Advisory
http://secunia.com/advisories/39317	Third Party Advisory
http://ubuntu.com/usn/usn-923-1	Third Party Advisory
http://secunia.com/advisories/39292	Third Party Advisory
http://secunia.com/advisories/37453	Third Party Advisory
http://www.securitytracker.com/id?1023224	Third Party Advisory VDB Entry
http://secunia.com/advisories/37383	Third Party Advisory
http://secunia.com/advisories/37399	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3310	Third Party Advisory
http://www.vupen.com/english/advisories/2009/3313	Third Party Advisory
http://www.securitytracker.com/id?1023214	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023213	Third Party Advisory VDB Entry
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0848	Third Party Advisory
http://secunia.com/advisories/38781	Third Party Advisory
http://secunia.com/advisories/39278	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0130.html	Third Party Advisory
http://www.ubuntu.com/usn/USN-927-1	Third Party Advisory
http://secunia.com/advisories/39500	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0982	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21426108	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2010:076	Broken Link
http://www.vupen.com/english/advisories/2010/0933	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084	Broken Link
http://secunia.com/advisories/39628	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html	Third Party Advisory
http://secunia.com/advisories/39461	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0916	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2010:089	Broken Link
http://www.vupen.com/english/advisories/2010/1054	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html	Third Party Advisory
http://support.avaya.com/css/P8/documents/100081611	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0165.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html	Third Party Advisory
http://secunia.com/advisories/39632	Third Party Advisory
http://secunia.com/advisories/39713	Third Party Advisory
http://www.vupen.com/english/advisories/2010/0994	Third Party Advisory
http://marc.info/?l=bugtraq&m=127419602507642&w=2	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html	Third Party Advisory
http://www.vupen.com/english/advisories/2010/1107	Third Party Advisory
http://lists.apple.com/archives/security-announce/2010//May/msg00002.html	Mailing List Third Party Advisory
http://secunia.com/advisories/39819	Third Party Advisory
http://lists.apple.com/archives/security-announce/2010//May/msg00001.html	Mailing List Third Party Advisory
http://support.apple.com/kb/HT4170	Third Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1	Broken Link
http://support.apple.com/kb/HT4171	Third Party Advisory
http://www.vupen.com/english/advisories/2010/1191	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html	Third Party Advisory
http://www.vupen.com/english/advisories/2010/1350	Third Party Advisory
http://secunia.com/advisories/40070	Third Party Advisory
http://osvdb.org/65202	Broken Link
http://www.openoffice.org/security/cves/CVE-2009-3555.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html	Third Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1	Broken Link
http://secunia.com/advisories/39127	Third Party Advisory
http://www.vupen.com/english/advisories/2010/1639	Third Party Advisory
http://www.opera.com/support/search/view/944/	Third Party Advisory
http://www.ubuntu.com/usn/USN-927-5	Third Party Advisory
http://www.vupen.com/english/advisories/2010/1673	Third Party Advisory
http://www.opera.com/docs/changelogs/unix/1060/	Third Party Advisory
http://www.ubuntu.com/usn/USN-927-4	Third Party Advisory
http://www.vupen.com/english/advisories/2010/1793	Third Party Advisory
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751	Broken Link
http://secunia.com/advisories/40545	Third Party Advisory
http://secunia.com/advisories/40747	Third Party Advisory
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041	Broken Link
http://www.vupen.com/english/advisories/2010/2010	Third Party Advisory
http://secunia.com/advisories/40866	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21432298	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA10-222A.html	Third Party Advisory US Government Resource
http://secunia.com/advisories/41490	Third Party Advisory
http://secunia.com/advisories/41480	Third Party Advisory
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995	Third Party Advisory
http://www.vupen.com/english/advisories/2010/2745	Third Party Advisory
http://support.avaya.com/css/P8/documents/100114315	Third Party Advisory
http://support.avaya.com/css/P8/documents/100114327	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0770.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA10-287A.html	Third Party Advisory US Government Resource
http://www.ubuntu.com/usn/USN-1010-1	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0786.html	Third Party Advisory
http://secunia.com/advisories/41972	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0807.html	Third Party Advisory
http://secunia.com/advisories/41967	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0865.html	Third Party Advisory
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0768.html	Third Party Advisory
http://www.vupen.com/english/advisories/2010/3086	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg24006386	Third Party Advisory
http://secunia.com/advisories/42379	Third Party Advisory
http://secunia.com/advisories/42377	Third Party Advisory
http://www.securitytracker.com/id?1024789	Third Party Advisory VDB Entry
http://secunia.com/advisories/42467	Third Party Advisory
http://www.vupen.com/english/advisories/2010/3126	Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2010-0019.html	Third Party Advisory
http://www.vupen.com/english/advisories/2010/3069	Third Party Advisory
http://secunia.com/advisories/42811	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0032	Third Party Advisory
http://www.debian.org/security/2011/dsa-2141	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0986.html	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2010-0987.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html	Third Party Advisory
http://secunia.com/advisories/42724	Third Party Advisory
http://secunia.com/advisories/42816	Third Party Advisory
http://secunia.com/advisories/42808	Third Party Advisory
http://secunia.com/advisories/42733	Third Party Advisory
https://kb.bluecoat.com/index?page=content&id=SA50	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0033	Third Party Advisory
http://www.vupen.com/english/advisories/2011/0086	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html	Third Party Advisory
http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html	Third Party Advisory
http://secunia.com/advisories/43308	Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2011-0003.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html	Third Party Advisory
http://secunia.com/advisories/44183	Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2011-0880.html	Third Party Advisory
http://marc.info/?l=bugtraq&m=130497311408250&w=2	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html	Third Party Advisory
http://marc.info/?l=bugtraq&m=132077688910227&w=2	Third Party Advisory
http://secunia.com/advisories/44954	Third Party Advisory
http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html	Exploit Third Party Advisory
http://www.securityfocus.com/archive/1/522176	Third Party Advisory VDB Entry
http://security.gentoo.org/glsa/glsa-201203-22.xml	Third Party Advisory
http://secunia.com/advisories/48577	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html	Third Party Advisory
http://archives.neohapsis.com/archives/bugtraq/2013-11/0120.html	Broken Link
http://security.gentoo.org/glsa/glsa-201406-32.xml	Third Party Advisory
http://www.openssl.org/news/secadv_20091111.txt	Third Party Advisory
http://secunia.com/advisories/41818	Third Party Advisory
http://marc.info/?l=bugtraq&m=142660345230545&w=2	Third Party Advisory
http://www.debian.org/security/2015/dsa-3253	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888	Third Party Advisory
http://marc.info/?l=bugtraq&m=127128920008563&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=134254866602253&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=127557596201693&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=126150535619567&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=133469267822771&w=2	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/54158	Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8535	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8366	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7973	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7478	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7315	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11617	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11578	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10088	Third Party Advisory
http://www.securityfocus.com/archive/1/516397/100/0/threaded	Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/515055/100/0/threaded	Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/508130/100/0/threaded	Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/508075/100/0/threaded	Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/507952/100/0/threaded	Third Party Advisory VDB Entry
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-049
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2009-3555
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 07:24:23				Added to TrackCVE
2023-02-02 19:02:37		2023-02-02T17:16:43	CVE Modified Date	updated
2023-02-02 19:02:37	Analyzed	Modified	Vulnerability Status	updated
2023-02-02 19:02:38	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.	CVE-2009-3555 TLS: MITM attacks via session renegotiation	Description	updated
2023-02-13 03:03:21		2023-02-13T02:20:27	CVE Modified Date	updated
2023-02-13 03:03:22	CVE-2009-3555 TLS: MITM attacks via session renegotiation	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.	Description	updated