CVE-2012-3446

{"id": "CVE-2012-3446", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2012-11-04T22:55:03.060", "references": [{"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf", "tags": ["Exploit"], "source": "secalert@redhat.com"}, {"url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES", "tags": ["Release Notes"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate."}, {"lang": "es", "value": "Apache Libcloud antes de v0.11.1 usa una expresi\u00f3n regular incorrecta durante la comprobaci\u00f3n de si el nombre del servidor coincide con un nombre de dominio en el nombre com\u00fan (CN) del sujeto o con el campo subjectAltName del certificado X.509, lo que permite falsificar servidores SSL a atacantes man-in-the-middle mediante un certificado v\u00e1lido de su elecci\u00f3n."}], "lastModified": "2024-02-14T17:22:51.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:libcloud:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BA84103-FCEF-4050-A42D-3CDFACD04B52", "versionEndExcluding": "0.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}