CVE-2009-3555

Aliases:GHSA-f7w7-6pjc-wwm6

Advisory lineage Upstream: 0 Downstream: 38

Downstream

DEBIAN-CVE-2009-3555 DLA-400-1 DSA-1934-1 DSA-2141-1 DSA-2141-2 DSA-2626-1

Modified

Published: 09 Nov 2009, 17:00

Last modified:27 May 2026, 15:38

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

3.74% LOW

4% probability +1.44%

KEV

Not listed

Ransomware

No reports

Public exploits

5 found

Dark Web

Not detected

Timeline

09 Nov 2009, 17:00

Published

Vulnerability first disclosed

27 May 2026, 15:38

Last Modified

Vulnerability information updated

Description

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:N/I:P/A:P

EPSS Trends

Current EPSS score: 3.74%• Percentile: 88%

Techniques & Countermeasures

CWE-295•Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
CWE-300•Channel Accessible by Non-Endpoint
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Affected Systems

Unknown•HTTP Server
≤ 2.2.14
canonical•ubuntu_linux
8.04 | 8.10 | 9.04 | 9.10 | 10.04 | 10.10
debian•debian_linux
4.0 | 5.0 | 6.0 | 7.0 | 8.0
f5•nginx
≥ 0.1.0, ≤ 0.8.22
fedoraproject•fedora
11 | 12 | 13 | 14
gnu•gnutls
≤ 2.8.5
org.apache.tomcat•tomcat
≥ 7.0.0, < 7.0.10 | ≥ 6.0.0, < 6.0.32 | ≥ 5.0.0, < 5.5.33
mozilla•nss
≤ 3.12.4
Unknown•OpenSSL
≤ 0.9.8k | 1.0