Vulnerability Details : CVE-2012-4930
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Products affected by CVE-2012-4930
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4930
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4930
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.6
|
LOW | AV:N/AC:H/Au:N/C:P/I:N/A:N |
4.9
|
2.9
|
NIST |
CWE ids for CVE-2012-4930
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4930
-
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
Details on the "Crime" Attack
-
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
Paper: Compression and Information Leakage of Plaintext
-
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
Crack in Internet’s foundation of trust allows HTTPS session hijacking | Ars Technica
-
http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
Threatpost | The first stop for security news
-
http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
The perfect CRIME? New HTTPS web hijack attack explained • The Register
-
https://bugzilla.redhat.com/show_bug.cgi?id=857737
857737 – (CVE-2012-4930) CVE-2012-4930 SPDY: SSL/TLS CRIME attack
-
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
404 Page Not Found | Qualys, Inc.
-
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.html
[security-announce] SUSE-SU-2012:1351-1: important: Security update for
-
http://www.ekoparty.org/2012/thai-duong.php
ekoparty security conference
Jump to