CVE-2016-5672 - OpenCVE

Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Intel	Crosswalk

Configuration 1 [-]

cpe:2.3:a:intel:crosswalk:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html
http://www.kb.cert.org/vuls/id/217871
http://www.securityfocus.com/archive/1/539051/100/0/threaded
http://www.securityfocus.com/bid/92199
https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/
https://crosswalk-project.org/jira/browse/XWALK-6986
https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html
https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2016-08-01T01:00:00

Updated: 2024-08-06T01:08:00.524Z

Reserved: 2016-06-16T00:00:00

Link: CVE-2016-5672

Vulnrichment

No data.

NVD

Status : Modified

Published: 2016-08-01T02:59:17.870

Modified: 2018-10-09T20:00:35.960

Link: CVE-2016-5672

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-07-28T00:00:00", "descriptions": [{"lang": "en", "value": "Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/"}, {"name": "92199", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/92199"}, {"tags": ["x_refsource_MISC"], "url": "https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue"}, {"tags": ["x_refsource_MISC"], "url": "https://crosswalk-project.org/jira/browse/XWALK-6986"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html"}, {"name": "[crosswalk-help] 20160728 Crosswalk Security Advisory", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html"}, {"name": "20160729 CVE-2016-5672: Intel Crosswalk SSL Prompt Issue", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/539051/100/0/threaded"}, {"name": "VU#217871", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/217871"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2016-5672", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/", "refsource": "CONFIRM", "url": "https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/"}, {"name": "92199", "refsource": "BID", "url": "http://www.securityfocus.com/bid/92199"}, {"name": "https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue", "refsource": "MISC", "url": "https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue"}, {"name": "https://crosswalk-project.org/jira/browse/XWALK-6986", "refsource": "MISC", "url": "https://crosswalk-project.org/jira/browse/XWALK-6986"}, {"name": "http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html"}, {"name": "[crosswalk-help] 20160728 Crosswalk Security Advisory", "refsource": "MLIST", "url": "https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html"}, {"name": "20160729 CVE-2016-5672: Intel Crosswalk SSL Prompt Issue", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/539051/100/0/threaded"}, {"name": "VU#217871", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/217871"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:08:00.524Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/"}, {"name": "92199", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/92199"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crosswalk-project.org/jira/browse/XWALK-6986"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html"}, {"name": "[crosswalk-help] 20160728 Crosswalk Security Advisory", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html"}, {"name": "20160729 CVE-2016-5672: Intel Crosswalk SSL Prompt Issue", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/539051/100/0/threaded"}, {"name": "VU#217871", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/217871"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2016-5672", "datePublished": "2016-08-01T01:00:00", "dateReserved": "2016-06-16T00:00:00", "dateUpdated": "2024-08-06T01:08:00.524Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:intel:crosswalk:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A9BBD23-5F7E-462F-B977-499AEA34C7E3", "versionEndIncluding": "19.49.514.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate."}, {"lang": "es", "value": "Intel Crosswalk en versiones anteriores a 19.49.514.5, 20.x en versiones anteriores a 20.50.533.11, 21.x en versiones anteriores a 21.51.546.0 y 22.x en versiones anteriores a 22.51.549.0 interpreta que una aceptaci\u00f3n por parte de un usuario de un certificado X.509 invalido significa que todos los certificados X.509 deben ser aceptados sin preguntar, lo que facilita a atacantes man-in-the-middle espiar servidores SSL y obtener informaci\u00f3n sensible a trav\u00e9s de un certificado manipulado."}], "id": "CVE-2016-5672", "lastModified": "2018-10-09T20:00:35.960", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-08-01T02:59:17.870", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/217871"}, {"source": "cret@cert.org", "url": "http://www.securityfocus.com/archive/1/539051/100/0/threaded"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/92199"}, {"source": "cret@cert.org", "tags": ["Vendor Advisory"], "url": "https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/"}, {"source": "cret@cert.org", "tags": ["Permissions Required", "Technical Description"], "url": "https://crosswalk-project.org/jira/browse/XWALK-6986"}, {"source": "cret@cert.org", "tags": ["Vendor Advisory"], "url": "https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}