Apache Libcloud Vulnerability in SSL Certificate Validation
CVE-2012-3446

5.9MEDIUM

Key Information:

Vendor: Apache
Status: Libcloud
Vendor: CVE Published:; 4 November 2012

Summary

A vulnerability in Apache Libcloud prior to version 0.11.1 exists due to improper regular expression handling when verifying server hostnames against the domain name in the subject’s Common Name (CN) or subjectAltName in X.509 certificates. This flaw could enable man-in-the-middle attackers to impersonate legitimate SSL servers through crafted malicious certificates, potentially exposing sensitive user data to compromise.

References

https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES

x_refsource_CONFIRM

http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2012
Vulnerability Reserved
Jun 14, 2012