CVE-2012-4929

TLS 1.2 - Info Disclosure

Title source: llm
STIX 2.1

Description

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Exploits (2)

nomisec WORKING POC 30 stars
by mpgn · poc
https://github.com/mpgn/CRIME-poc
nomisec SCANNER 5 stars
by anthophilee · poc
https://github.com/anthophilee/A2SV--SSL-VUL-Scan

References (34)

Core 34
Core References
Various Sources x_refsource_misc
https://gist.github.com/3696912
Various Sources x_refsource_confirm
https://chromiumcodereview.appspot.com/10825183
Various Sources x_refsource_misc
https://github.com/mpgn/CRIME-poc
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=136612293908376&w=2
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0587.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2579
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1898-1
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3253
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html
Various Sources x_refsource_misc
http://news.ycombinator.com/item?id=4510829
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT5784
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
Third Party Advisory third-party-advisory x_refsource_jvndb
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1627-1
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2627
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55704
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1628-1
Various Sources x_refsource_misc
http://www.ekoparty.org/2012/thai-duong.php
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html
Third Party Advisory third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN65273415/index.html
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=857051

Scores

EPSS 0.1387
EPSS Percentile 94.3%

Details

CWE
CWE-310
Status published
Products (4)
debian/debian_linux 7.0
debian/debian_linux 8.0
google/chrome
mozilla/firefox
Published Sep 15, 2012
Tracked Since Feb 18, 2026