Home > Vulnerability Database > CVE-2012-4929

Mend.io Vulnerability Database

CVE-2012-4929

Good to know:

Date: September 15, 2012

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Language: C++

Severity Score

3.7

Related Resources (39)

Url: http://www.debian.org/security/2015/dsa-3253

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920

Url: http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

Url: http://www.theregister.co.uk/2012/09/14/crime_tls_attack/

Url: https://nvd.nist.gov/vuln/detail/CVE-2012-4929

Url: https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212

Url: http://rhn.redhat.com/errata/RHSA-2013-0587.html

Url: http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

Url: http://jvn.jp/en/jp/JVN65273415/index.html

Url: https://bugzilla.redhat.com/show_bug.cgi?id=857051

Url: https://chromiumcodereview.appspot.com/10825183

Url: http://news.ycombinator.com/item?id=4510829

Url: http://code.google.com/p/chromium/issues/detail?id=139744

Url: https://gist.github.com/3696912

Url: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2012-4929

Url: http://www.securityfocus.com/bid/55704

Url: http://www.ekoparty.org/2012/thai-duong.php

Url: http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html

Url: https://github.com/mpgn/CRIME-poc

Url: http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html

Url: http://www.debian.org/security/2013/dsa-2627

Url: http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

Url: http://marc.info/?l=bugtraq&m=136612293908376&w=2

Url: http://www.ubuntu.com/usn/USN-1898-1

Url: http://support.apple.com/kb/HT5784

Url: http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html

Url: http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

Url: http://www.ubuntu.com/usn/USN-1628-1

Url: http://www.ubuntu.com/usn/USN-1627-1

Url: http://www.debian.org/security/2012/dsa-2579

Url: http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

Url: http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html

Url: http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html

Url: https://access.redhat.com/security/cve/CVE-2012-4929

Url: https://security-tracker.debian.org/tracker/CVE-2012-4929

Url: http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

Url: http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html

Url: https://www.mend.io/vulnerability-database/CVE-2012-4929

Severity Score

3.7

Weakness Type (CWE)

Cryptographic Issues

CWE-310

Top Fix

Upgrade Version

Upgrade to version 27.0.1414.0

Learn More

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	2.6
Access Vector (AV):	NETWORK
Access Complexity (AC):	HIGH
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2012-4929

Good to know:

Date: September 15, 2012

Language: C++

Severity Score

Related Resources (39)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?