Lucene search

[email protected]CVE-2012-5456

HistoryOct 24, 2012 - 5:55 p.m.

CVE-2012-5456

2012-10-2417:55:02

CWE-310

[email protected]

web.nvd.nist.gov

zoner antivirus

android

ssl

vulnerability

certificate

man-in-the-middle

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.9%

JSON

The Zoner AntiVirus Free application for Android does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, as demonstrated by a server used for updating virus signature files.

Affected configurations

NVD

Node

zonerzoner_antivirus_freeMatch--android

zonerzoner_antivirus_freeMatch1.7.0-android

CPENameOperatorVersion
zoner:zoner_antivirus_freezoner zoner antivirus freeeq-
zoner:zoner_antivirus_freezoner zoner antivirus freeeq1.7.0

CPE	Name	Operator	Version
zoner:zoner_antivirus_free	zoner zoner antivirus free	eq	-
zoner:zoner_antivirus_free	zoner zoner antivirus free	eq	1.7.0

References

www.securityfocus.com/bid/56292

www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

exchange.xforce.ibmcloud.com/vulnerabilities/79591

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.9%

JSON

Related for CVE-2012-5456

prion1 nvd1 cvelist1