CVE-2012-4929

Published: Sep 15, 2012Modified: Apr 29, 2026

2.6

Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability: 4.9 / Impact: 2.9

Source: NVD

Description

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Affected (4)

Products: Debian: Debian Linux · Google: Chrome · Mozilla: Firefox

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Google Chrome	All versions
Mozilla Firefox	All versions

Related CWEs

CWE-310

References (68)

http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

Source: cve@mitre.org

http://code.google.com/p/chromium/issues/detail?id=139744

Source: cve@mitre.org

http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html

Source: cve@mitre.org

http://jvn.jp/en/jp/JVN65273415/index.html

Source: cve@mitre.org

http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html

Source: cve@mitre.org

http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html

Source: cve@mitre.org

http://marc.info/?l=bugtraq&m=136612293908376&w=2

Source: cve@mitre.org

http://news.ycombinator.com/item?id=4510829

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2013-0587.html

Source: cve@mitre.org

http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

Source: cve@mitre.org

http://support.apple.com/kb/HT5784

Source: cve@mitre.org

http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312

Source: cve@mitre.org

http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

Source: cve@mitre.org

http://www.debian.org/security/2012/dsa-2579

Source: cve@mitre.org

http://www.debian.org/security/2013/dsa-2627

Source: cve@mitre.org

http://www.debian.org/security/2015/dsa-3253

Source: cve@mitre.org

http://www.ekoparty.org/2012/thai-duong.php

Source: cve@mitre.org

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

Source: cve@mitre.org

http://www.securityfocus.com/bid/55704

Source: cve@mitre.org

http://www.theregister.co.uk/2012/09/14/crime_tls_attack/

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-1627-1

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-1628-1

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-1898-1

Source: cve@mitre.org

https://bugzilla.redhat.com/show_bug.cgi?id=857051

Source: cve@mitre.org

https://chromiumcodereview.appspot.com/10825183

Source: cve@mitre.org

https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

Source: cve@mitre.org

https://gist.github.com/3696912

Source: cve@mitre.org

https://github.com/mpgn/CRIME-poc

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920

Source: cve@mitre.org

https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212

Source: cve@mitre.org

http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/