Vulnerability DatabaseCVE-2012-4929
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2012-4929
September 15, 2012
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Related Resources (37)
http://www.ubuntu.com/usn/USN-1628-1
http://jvn.jp/en/jp/JVN65273415/index.html
https://bugzilla.redhat.com/show_bug.cgi?id=857051
http://www.debian.org/security/2012/dsa-2579
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
http://rhn.redhat.com/errata/RHSA-2013-0587.html
https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212
http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
http://www.debian.org/security/2013/dsa-2627
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
https://people.canonical.com/~ubuntu-security/cve/CVE-2012-4929
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://support.apple.com/kb/HT5784
https://chromiumcodereview.appspot.com/10825183
http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor
https://github.com/mpgn/CRIME-poc
http://code.google.com/p/chromium/issues/detail?id=139744
http://www.ubuntu.com/usn/USN-1898-1
https://access.redhat.com/security/cve/CVE-2012-4929
http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html
http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512
https://gist.github.com/3696912
http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
http://www.debian.org/security/2015/dsa-3253
http://marc.info/?l=bugtraq&m=136612293908376&w=2
http://www.ekoparty.org/2012/thai-duong.php
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920
http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html
http://www.securityfocus.com/bid/55704
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
http://news.ycombinator.com/item?id=4510829
https://security-tracker.debian.org/tracker/CVE-2012-4929
http://www.ubuntu.com/usn/USN-1627-1
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
2.6
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
EPSS
Base Score:
15.29