Lucene search

CanonicalCVELIST:CVE-2012-0955

HistoryDec 02, 2020 - 12:50 a.m.

CVE-2012-0955 software-properties incorrectly validated TLS certificates

2020-12-0200:50:15

CWE-295

canonical

www.cve.org

cve-2012-0955

software-properties

tls certificates

vulnerability

python2

python3

version 0.92

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

51.9%

JSON

software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn’t check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.

CNA Affected

[
  {
    "product": "software-properties",
    "vendor": "Canonical",
    "versions": [
      {
        "lessThan": "0.92",
        "status": "affected",
        "version": "0.92",
        "versionType": "custom"
      }
    ]
  }
]

References

code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753

launchpad.net/bugs/1036839

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS

0.002

Percentile

51.9%

JSON

Related for CVELIST:CVE-2012-0955