Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1094

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-1094
Last Modified 20 Apr 2011 10:33:24
Published 16 Mar 2011 06:55:04
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-1094

Summary

kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.

Vulnerable Systems

Application

  • Redhat Kdelibs 3.5.10

  • Redhat Kdelibs 3.5.2

  • Redhat Kdelibs 3.5.9

  • Redhat Kdelibs 4.6


References

CONFIRM - https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7

MLIST - [oss-security] 20110308 Re: KDE SSL name check issue

MLIST - [oss-security] 20110308 KDE SSL name check issue

XF - kdelibs-ssl-security-bypass(65986)

VUPEN - ADV-2011-0990

VUPEN - ADV-2011-0913

UBUNTU - USN-1110-1

BID - 46789

MANDRIVA - MDVSA-2011:071

SECUNIA - 44108


Last Updated: 27 May 2016 10:56:09