Search for vulnerabilities
Vulnerability details: VCID-9dxv-6zus-aaan
Vulnerability ID VCID-9dxv-6zus-aaan
Aliases CVE-2012-4929
Summary The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-310 Cryptographic Issues
System Score Found at
generic_textual MODERATE http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
generic_textual MODERATE http://marc.info/?l=bugtraq&m=136612293908376&w=2
rhas Moderate https://access.redhat.com/errata/RHSA-2013:0587
rhas Important https://access.redhat.com/errata/RHSA-2013:0636
rhas Important https://access.redhat.com/errata/RHSA-2014:0416
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.00232 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.12977 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.12977 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.12977 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.12977 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13137 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13442 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.13867 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.23484 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.23484 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.24898 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.24898 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.24898 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
epss 0.63978 https://api.first.org/data/v1/epss?cve=CVE-2012-4929
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
cvssv2 2.6 https://nvd.nist.gov/vuln/detail/CVE-2012-4929
generic_textual MODERATE http://support.apple.com/kb/HT5784
generic_textual MODERATE http://www.debian.org/security/2015/dsa-3253
Reference id Reference type URL
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
http://code.google.com/p/chromium/issues/detail?id=139744
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html
http://jvn.jp/en/jp/JVN65273415/index.html
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html
http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html
http://marc.info/?l=bugtraq&m=136612293908376&w=2
http://news.ycombinator.com/item?id=4510829
http://rhn.redhat.com/errata/RHSA-2013-0587.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-4929.json
https://api.first.org/data/v1/epss?cve=CVE-2012-4929
https://bugzilla.redhat.com/show_bug.cgi?id=857051
https://chromiumcodereview.appspot.com/10825183
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor
https://gist.github.com/3696912
https://github.com/mpgn/CRIME-poc
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920
https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212
http://support.apple.com/kb/HT5784
http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512
http://www.debian.org/security/2012/dsa-2579
http://www.debian.org/security/2013/dsa-2627
http://www.debian.org/security/2015/dsa-3253
http://www.ekoparty.org/2012/thai-duong.php
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://www.securityfocus.com/bid/55704
http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
http://www.ubuntu.com/usn/USN-1627-1
http://www.ubuntu.com/usn/USN-1628-1
http://www.ubuntu.com/usn/USN-1898-1
689936 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689936
cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVE-2012-4929 https://nvd.nist.gov/vuln/detail/CVE-2012-4929
GLSA-201309-12 https://security.gentoo.org/glsa/201309-12
RHSA-2013:0587 https://access.redhat.com/errata/RHSA-2013:0587
RHSA-2013:0636 https://access.redhat.com/errata/RHSA-2013:0636
RHSA-2014:0416 https://access.redhat.com/errata/RHSA-2014:0416
USN-1627-1 https://usn.ubuntu.com/1627-1/
USN-1628-1 https://usn.ubuntu.com/1628-1/
USN-1898-1 https://usn.ubuntu.com/1898-1/
No exploits are available.
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2012-4929
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.61722
EPSS Score 0.00232
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.