CVE-2012-0955 - OpenCVE

software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Software-properties

Configuration 1 [-]

cpe:2.3:a:canonical:software-properties:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753
https://launchpad.net/bugs/1036839

History

No history.

MITRE

Status: PUBLISHED

Assigner: canonical

Published: 2020-12-02T00:50:15.305885Z

Updated: 2024-09-16T17:14:04.258Z

Reserved: 2012-02-01T00:00:00

Link: CVE-2012-0955

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-12-02T01:15:11.797

Modified: 2020-12-08T02:12:04.860

Link: CVE-2012-0955

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "software-properties", "vendor": "Canonical", "versions": [{"lessThan": "0.92", "status": "affected", "version": "0.92", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Marc Deslauriers"}], "datePublic": "2012-08-14T00:00:00", "descriptions": [{"lang": "en", "value": "software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-02T00:50:15", "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical"}, "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://launchpad.net/bugs/1036839"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}], "source": {"defect": ["https://launchpad.net/bugs/1036839"], "discovery": "INTERNAL"}, "title": "software-properties incorrectly validated TLS certificates", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "", "ASSIGNER": "security@ubuntu.com", "DATE_PUBLIC": "2012-08-14T20:05:00.000Z", "ID": "CVE-2012-0955", "STATE": "PUBLIC", "TITLE": "software-properties incorrectly validated TLS certificates"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "software-properties", "version": {"version_data": [{"platform": "", "version_affected": "<", "version_name": "0.92", "version_value": "0.92"}]}}]}, "vendor_name": "Canonical"}]}}, "configuration": [], "credit": [{"lang": "eng", "value": "Marc Deslauriers"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92."}]}, "exploit": [], "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-295 Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://launchpad.net/bugs/1036839", "refsource": "UBUNTU", "url": "https://launchpad.net/bugs/1036839"}, {"name": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753", "refsource": "UBUNTU", "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}]}, "solution": [], "source": {"advisory": "", "defect": ["https://launchpad.net/bugs/1036839"], "discovery": "INTERNAL"}, "work_around": []}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T18:45:25.999Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://launchpad.net/bugs/1036839"}, {"tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}]}]}, "cveMetadata": {"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "assignerShortName": "canonical", "cveId": "CVE-2012-0955", "datePublished": "2020-12-02T00:50:15.305885Z", "dateReserved": "2012-02-01T00:00:00", "dateUpdated": "2024-09-16T17:14:04.258Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:software-properties:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBB125BF-157F-4339-8D76-047D6B0687A6", "versionEndExcluding": "0.92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "software-properties was vulnerable to a person-in-the-middle attack due to incorrect TLS certificate validation in softwareproperties/ppa.py. software-properties didn't check TLS certificates under python2 and only checked certificates under python3 if a valid certificate bundle was provided. Fixed in software-properties version 0.92."}, {"lang": "es", "value": "software-properties era vulnerable a un ataque de tipo person-in-the-middle debido a una comprobaci\u00f3n inapropiada del certificado TLS en el archivo softwareproperties/ppa.py. software-properties no comprob\u00f3 los certificados TLS en python2 y solo comprob\u00f3 los certificados en python3 si se proporcion\u00f3 un paquete de certificado v\u00e1lido. Corregido en software-properties versi\u00f3n 0.92"}], "id": "CVE-2012-0955", "lastModified": "2020-12-08T02:12:04.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security@ubuntu.com", "type": "Secondary"}]}, "published": "2020-12-02T01:15:11.797", "references": [{"source": "security@ubuntu.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://code.launchpad.net/~cyphermox/software-properties/lp1036839/+merge/119753"}, {"source": "security@ubuntu.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://launchpad.net/bugs/1036839"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "security@ubuntu.com", "type": "Secondary"}]}