#VU66987 Improper Certificate Validation in libgdata - CVE-2012-1177


Vulnerability identifier: #VU66987

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-1177

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libgdata
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing certificate validation. A remote attacker can perform Man-in-the-Middle (MitM) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libgdata: 0.10.0 - 0.11.0

External links
https://git.gnome.org/browse/libgdata/commit/?h=libgdata-0-10&id=8eff8fa9138859e03e58c2aa76600ab63eb5c29c
https://git.gnome.org/browse/libgdata/commit/?id=6799f2c525a584dc998821a6ce897e463dad7840
https://secunia.com/advisories/50432
https://www.debian.org/security/2012/dsa-2482
https://www.mandriva.com/security/advisories?name=MDVSA-2012:111
https://www.openwall.com/lists/oss-security/2012/03/14/1
https://www.openwall.com/lists/oss-security/2012/03/14/3
https://www.openwall.com/lists/oss-security/2012/03/14/8
https://www.ubuntu.com/usn/USN-1547-1
https://bugs.launchpad.net/ubuntu/+source/libgdata/+bug/938812
https://bugzilla.gnome.org/show_bug.cgi?id=671535
https://bugzilla.novell.com/show_bug.cgi?id=752088

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


MitM attack in GNOME libgdata