CVE-2012-4929Linux vulnerability

CWE-31014 documents8 sources
Severity
2.6LOWNVD
EPSS
13.9%
top 5.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Apsis PoundF5 NginxLighttpd+2 more
Timeline
PublishedSep 15
Latest updateMay 14

Description

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages4 packages

Debianlighttpd/lighttpd< 1.4.30-1+3
Debianf5/nginx< 1.2.1-2.2+3
Debianapsis/pound< 2.6-3+2
Debianopenssl/openssl< 1.0.1e-5+3

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

3
GHSA
GHSA-348j-44v2-vwfr: The TLS protocol 12022-05-14
OSV
CVE-2012-4929: The TLS protocol 12012-09-15
CVEList
CVE-2012-4929: The TLS protocol 12012-09-15

📋Vendor Advisories

6
Red Hat
BREACH attack against HTTP compression2013-08-02
Ubuntu
OpenSSL vulnerability2013-07-04
Ubuntu
Qt vulnerability2012-11-08
Ubuntu
Apache HTTP Server vulnerabilities2012-11-08
Red Hat
SSL/TLS CRIME attack against HTTPS2012-09-13

💬Community

4
Bugzilla
CVE-2013-0169 CVE-2012-4929 mingw32-openssl various flaws [epel-5]2013-03-12
Bugzilla
CVE-2013-0169 CVE-2013-0169 CVE-2012-4929 mingw-openssl various flaws [fedora-all]2013-03-12
Bugzilla
CVE-2012-4929 SSL/TLS CRIME attack against HTTPS [fedora-all]2012-12-11
Bugzilla
CVE-2012-4929 SSL/TLS CRIME attack against HTTPS2012-09-13
CVE-2012-4929 — Debian Linux vulnerability | cvebase