CVE-2009-0127 (GCVE-0-2009-0127)
Vulnerability from cvelistv5 – Published: 2009-01-15 17:00 – Updated: 2024-09-16 21:03 Disputed
VLAI
EPSS
VEX
Summary
M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=479676 | x_refsource_MISC |
| http://openwall.com/lists/oss-security/2009/01/12/4 | mailing-listx_refsource_MLIST |
| http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:24:17.481Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=479676"
},
{
"name": "[oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2009/01/12/4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because \"these functions are not used anywhere in m2crypto."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-01-15T17:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=479676"
},
{
"name": "[oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2009/01/12/4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-0127",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because \"these functions are not used anywhere in m2crypto.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=479676",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=479676"
},
{
"name": "[oss-security] 20090112 CVE Request -- tsqllib, slurm-llnl, libnasl, libcrypt-openssl-dsa-perl, erlang, boinc-client, m2crypto",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2009/01/12/4"
},
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515",
"refsource": "MISC",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-0127",
"datePublished": "2009-01-15T17:00:00.000Z",
"dateReserved": "2009-01-15T00:00:00.000Z",
"dateUpdated": "2024-09-16T21:03:01.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2009-0127",
"date": "2026-07-15",
"epss": "0.01379",
"percentile": "0.68977"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0FDB41E1-9DB5-4F02-AAA3-8CB475EE073F\"}]}]}]",
"cveTags": "[{\"sourceIdentifier\": \"cve@mitre.org\", \"tags\": [\"disputed\"]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because \\\"these functions are not used anywhere in m2crypto.\"}, {\"lang\": \"es\", \"value\": \"** CUESTIONADA ** M2Crypto no comprueba adecuadamente el valor de retorno de las funciones OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify y ECDSA_do_verify, lo que permitiria a atacantes remotos evitar la validacion del certificado en cadena a traves de una firma SSL/TLS malformada, una vulnerabilidad similar a CVE-2008-5077. NOTE: Un fabricante de Linux cuestiona la relevancia de este informe en el producto M2Crypto debido a que \\\"esas funciones no se utilizan en ningun sitio de m2crypto\\\".\"}]",
"id": "CVE-2009-0127",
"lastModified": "2024-11-21T00:59:06.927",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2009-01-15T17:30:00.577",
"references": "[{\"url\": \"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://openwall.com/lists/oss-security/2009/01/12/4\", \"source\": \"cve@mitre.org\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=479676\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Issue Tracking\"]}, {\"url\": \"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://openwall.com/lists/oss-security/2009/01/12/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=479676\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vendorComments": "[{\"organization\": \"Red Hat\", \"comment\": \"Red Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto.\\n\\nFurther details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1\", \"lastModified\": \"2009-01-21T00:00:00\"}]",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2009-0127\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2009-01-15T17:30:00.577\",\"lastModified\":\"2026-04-23T00:35:47.467\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because \\\"these functions are not used anywhere in m2crypto.\"},{\"lang\":\"es\",\"value\":\"** CUESTIONADA ** M2Crypto no comprueba adecuadamente el valor de retorno de las funciones OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify y ECDSA_do_verify, lo que permitiria a atacantes remotos evitar la validacion del certificado en cadena a traves de una firma SSL/TLS malformada, una vulnerabilidad similar a CVE-2008-5077. NOTE: Un fabricante de Linux cuestiona la relevancia de este informe en el producto M2Crypto debido a que \\\"esas funciones no se utilizan en ningun sitio de m2crypto\\\".\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0FDB41E1-9DB5-4F02-AAA3-8CB475EE073F\"}]}]}],\"references\":[{\"url\":\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://openwall.com/lists/oss-security/2009/01/12/4\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=479676\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://openwall.com/lists/oss-security/2009/01/12/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=479676\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\"]}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"Red Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto.\\n\\nFurther details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1\",\"lastModified\":\"2009-01-21T00:00:00\"}]}}",
"redhat_vex": {
"current_release_date": "2025-11-21T16:06:00+00:00",
"cve": "CVE-2009-0127",
"id": "CVE-2009-0127",
"initial_release_date": "2009-01-11T00:00:00+00:00",
"product_status:known_not_affected": "1",
"source": "Red Hat CSAF VEX",
"status": "final",
"title": "m2crypto: OpenSSL incorrect checks for malformed signatures",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2009/cve-2009-0127.json",
"version": "3"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…