CVE-2009-0255

The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://secunia.com/advisories/33617	Broken Link Vendor Advisory
http://secunia.com/advisories/33679	Broken Link Vendor Advisory
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/	Vendor Advisory
http://www.debian.org/security/2009/dsa-1711	Mailing List
http://www.securityfocus.com/bid/33376	Broken Link Third Party Advisory VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/48132	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::
	cpe:2.3:a:typo3:typo3::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2009-01-22 23:30

Updated : 2024-02-14 16:10

NVD link : CVE-2009-0255

Mitre link : CVE-2009-0255

CVE.ORG link : CVE-2009-0255

JSON object : View

Products Affected

debian

debian_linux

typo3

typo3

CWE

CWE-330

Use of Insufficiently Random Values

{"id": "CVE-2009-0255", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2009-01-22T23:30:00.203", "references": [{"url": "http://secunia.com/advisories/33617", "tags": ["Broken Link", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://secunia.com/advisories/33679", "tags": ["Broken Link", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-001/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2009/dsa-1711", "tags": ["Mailing List"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/33376", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48132", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-330"}]}], "descriptions": [{"lang": "en", "value": "The System extension Install tool in TYPO3 4.0.0 through 4.0.9, 4.1.0 through 4.1.7, and 4.2.0 through 4.2.3 creates the encryption key with an insufficiently random seed, which makes it easier for attackers to crack the key."}, {"lang": "es", "value": "La herramienta de instalaci\u00f3n de extensiones del sistema en TYPO3 v4.0.9 a v4.0.0, v4.1.0 a v4.1.7, v4.2.0 y v4.2.3 crea la clave de encriptaci\u00f3n con una insuficiente aleatoriedad en la semilla, lo que facilita craquear la clave a los atacantes."}], "lastModified": "2024-02-14T16:10:04.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCD45EC2-1866-4CFC-B841-8B0B879B5565", "versionEndExcluding": "4.0.10", "versionStartIncluding": "4.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB66C8C2-1FAE-4C54-9284-A940CBEDBC00", "versionEndExcluding": "4.1.8", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BBFEC718-5811-4B4D-96CF-A37488974D4A", "versionEndExcluding": "4.2.4", "versionStartIncluding": "4.2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}