CVE-2012-0955 - OpenCVE

software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Software-properties

Configuration 1 [-]

cpe:2.3:a:canonical:software-properties:*:*:*:*:*:*:*:*

References

Link	Resource
https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753	Patch Vendor Advisory
https://launchpad.net/bugs/1036839	Exploit Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: canonical

Published: 2012-08-14T00:00:00

Updated: 2020-12-02T00:50:15

Reserved: 2012-02-01T00:00:00

Link: CVE-2012-0955

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-02T01:15:11.797

Modified: 2020-12-08T02:12:04.860

Link: CVE-2012-0955

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "software-properties", "vendor": "Canonical", "versions": [{"lessThan": "0.92", "status": "affected", "version": "0.92", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Marc Deslauriers"}], "datePublic": "2012-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-02T00:50:15", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://launchpad.net/bugs/1036839"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}], "source": {"defect": ["https://launchpad.net/bugs/1036839"], "discovery": "INTERNAL"}, "title": "software-properties incorrectly validated TLS certificates", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2012-08-14T20:05:00.000Z", "ID": "CVE-2012-0955", "STATE": "PUBLIC", "TITLE": "software-properties incorrectly validated TLS certificates"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "software-properties", "version": {"version_data": [{"platform": "", "version_affected": "<", "version_name": "0.92", "version_value": "0.92"}]}}]}, "vendor_name": "Canonical"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Marc Deslauriers"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.net/bugs/1036839", "refsource": "UBUNTU", "url": "https://launchpad.net/bugs/1036839"}, {"name": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753", "refsource": "UBUNTU", "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}]}, "solution": [], "source": {"advisory": "", "defect": ["https://launchpad.net/bugs/1036839"], "discovery": "INTERNAL"}, "work_around": []}}}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2012-0955", "datePublished": "2012-08-14T00:00:00", "dateReserved": "2012-02-01T00:00:00", "dateUpdated": "2020-12-02T00:50:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:software-properties:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBB125BF-157F-4339-8D76-047D6B0687A6", "versionEndExcluding": "0.92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92."}, {"lang": "es", "value": "software-properties era vulnerable a un ataque de tipo person-in-the-middle debido a una comprobaci\u00f3n inapropiada del certificado TLS en el archivo softwareproperties/ppa.py. software-properties no comprob\u00f3 los certificados TLS en python2 y solo comprob\u00f3 los certificados en python3 si se proporcion\u00f3 un paquete de certificado v\u00e1lido. Corregido en software-properties versi\u00f3n 0.92"}], "id": "CVE-2012-0955", "lastModified": "2020-12-08T02:12:04.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-12-02T01:15:11.797", "references": [{"source": "security@ubuntu.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://launchpad.net/bugs/1036839"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "security@ubuntu.com", "type": "Secondary"}]}