Vulnerability Description
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Chrome | All versions | |
| Mozilla | Firefox | All versions |
Related Weaknesses (CWE)
References
- http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
- http://code.google.com/p/chromium/issues/detail?id=139744
- http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
- http://jvn.jp/en/jp/JVN65273415/index.html
- http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html
- http://marc.info/?l=bugtraq&m=136612293908376&w=2
- http://news.ycombinator.com/item?id=4510829
- http://rhn.redhat.com/errata/RHSA-2013-0587.html
- http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-su
- http://support.apple.com/kb/HT5784
FAQ
What is CVE-2012-4929?
CVE-2012-4929 is a vulnerability with a CVSS score of 2.6 (LOW). The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which ...
How severe is CVE-2012-4929?
CVE-2012-4929 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-4929?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Google Chrome, Mozilla Firefox.