CVE-2011-1094

Summary

CVE	CVE-2011-1094
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2011-03-16 22:55:00 UTC
Updated	2017-08-17 01:33:00 UTC
Description	kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redhat	Kdelibs	3.5.10	All	All	All
Application	Redhat	Kdelibs	3.5.2	All	All	All
Application	Redhat	Kdelibs	3.5.9	All	All	All
Application	Redhat	Kdelibs	3.5.10	All	All	All
Application	Redhat	Kdelibs	3.5.2	All	All	All
Application	Redhat	Kdelibs	3.5.9	All	All	All
Application	Redhat	Kdelibs	All	All	All	All

References

Reference	Source	Link	Tags
Support / Security / Advisories / / MDVSA-2011:071 \| Mandriva	MANDRIVA	www.mandriva.com
KDE kdelibs IP Address SSL Certificate Security Bypass Vulnerability	BID	www.securityfocus.com
Ubuntu update for kde4libs - Secunia.com	SECUNIA	secunia.com
oss-security - Re: KDE SSL name check issue	MLIST	openwall.com	Patch
kdelibs.git - The KDE Library	CONFIRM	projects.kde.org	Patch
oss-security - KDE SSL name check issue	MLIST	openwall.com	Patch
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
Webmail- OVH	VUPEN	www.vupen.com
USN-1110-1: KDE-Libs vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.