Vulnerability Details : CVE-2016-5672
Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2016-5672
Probability of exploitation activity in the next 30 days: 0.31%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 66 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-5672
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
2.8
|
5.2
|
NIST |
CWE ids for CVE-2016-5672
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-5672
-
https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/
Home | Evangelists | Intel® SoftwareVendor Advisory
-
https://crosswalk-project.org/jira/browse/XWALK-6986
The Crosswalk Project · GitHubPermissions Required;Technical Description
-
http://www.securityfocus.com/archive/1/539051/100/0/threaded
SecurityFocus
-
http://www.kb.cert.org/vuls/id/217871
VU#217871 - Intel CrossWalk project does not validate SSL certificates after first acceptanceThird Party Advisory;US Government Resource
-
http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html
Intel Crosswalk Project Man-In-The-Middle ≈ Packet StormThird Party Advisory;VDB Entry
-
https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue
Advisory: Intel Crosswalk SSL Prompt Issue [CVE 2016-5672] | Nightwatch CybersecurityThird Party Advisory
-
https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html
Vendor Advisory
-
http://www.securityfocus.com/bid/92199
Intel Crosswalk CVE-2016-5672 SSL Certificate Validation Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Products affected by CVE-2016-5672
- cpe:2.3:a:intel:crosswalk:*:*:*:*:*:*:*:*