CVE-2012-2132
published 2012-08-20CVE-2012-2132: libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass…
PriorityP430medium5CVSS 2.0
AVNACLAuNCNIPAN
EPSS
1.55%
72.1th percentile
libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | midori | — | — |
| gnome | libsoup | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5g62-v8vq-wrxx: libsoup 2
ghsa_unreviewed·2022-05-17
CVE-2012-2132 [MEDIUM] CWE-287 GHSA-5g62-v8vq-wrxx: libsoup 2
libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
OSV
CVE-2012-2132: libsoup 2
osv·2012-08-20·CVSS 5.0
CVE-2012-2132 [MEDIUM] CVE-2012-2132: libsoup 2
libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
Red Hat
libsoup: does not indicate whether or not an SSL certificate is valid
vendor_redhat·2012-04-23·CVSS 5.0
CVE-2012-2132 [MEDIUM] libsoup: does not indicate whether or not an SSL certificate is valid
libsoup: does not indicate whether or not an SSL certificate is valid
libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
Statement: Not vulnerable. This issue did not affect the versions of libsoup as shipped with Red Hat Enterprise Linux 5 and 6, as they do not include support for the SOUP_MESSAGE_CERTIFICATE_TRUSTED feature.
Package: libsoup (Red Hat Enterprise Linux 5) - Not affected
Package: libsoup (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2012-2132: midori - libsoup 2.32.2 and earlier does not validate certificates or clear the trust fla...
vendor_debian·2012·CVSS 5.0
CVE-2012-2132 [MEDIUM] CVE-2012-2132: midori - libsoup 2.32.2 and earlier does not validate certificates or clear the trust fla...
libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid [fedora-15]
bugzilla·2012-05-02·CVSS 5.0
CVE-2012-2132 [MEDIUM] CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid [fedora-15]
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid [fedora-15]
libsoup-2.34.3-2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/libsoup-2.34.3-2.fc15
Discussion:
Package libsoup-2.34.3-2.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing libsoup-2.34.3-2.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7246/libsoup-2.34.3-2.fc15
then log in and leave karma (feedback).
---
Fedora 15 reached End Of Life.
Bugzilla
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid [fedora-15]
bugzilla·2012-05-02·CVSS 5.0
CVE-2012-2132 [MEDIUM] CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid [fedora-15]
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid [fedora-15]
Fedora 15 reached End Of Life.
Bugzilla
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid
bugzilla·2012-04-30·CVSS 5.0
CVE-2012-2132 [MEDIUM] CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid
CVE-2012-2132 libsoup: does not indicate whether or not an SSL certificate is valid
It was reported [1] that libsoup did not verify certificates if an application using it did not explicitly specify a file with trusted root certificate authorities. Because libsoup relies on the verification failure to clear the trust flag, it would always consider SSL connections as trusted in this circumstance.
SUSE has a patch to correct this flaw in libsoup 2.32.2 in their bugzilla [2]. Looking at the patch, it would apply to earlier versions of libsoup as well.
[1] https://bugzilla.novell.com/show_bug.cgi?id=758431
[2] https://bugzillafiles.novell.org/attachment.cgi?id=487674
Discussion:
The CVE is wrong. The bug is in Midori. It is telling libsoup to trust all SSL certificates, and so then libsou
http://www.openwall.com/lists/oss-security/2012/04/24/13http://www.openwall.com/lists/oss-security/2012/04/24/3http://www.openwall.com/lists/oss-security/2012/04/30/7http://www.openwall.com/lists/oss-security/2012/05/02/8http://www.securityfocus.com/bid/53232https://bugzilla.gnome.org/show_bug.cgi?id=666280https://exchange.xforce.ibmcloud.com/vulnerabilities/75167http://www.openwall.com/lists/oss-security/2012/04/24/13http://www.openwall.com/lists/oss-security/2012/04/24/3http://www.openwall.com/lists/oss-security/2012/04/30/7http://www.openwall.com/lists/oss-security/2012/05/02/8http://www.securityfocus.com/bid/53232https://bugzilla.gnome.org/show_bug.cgi?id=666280https://exchange.xforce.ibmcloud.com/vulnerabilities/75167
2012-08-20
Published