CVE-2012-4929
Summary
| CVE | CVE-2012-4929 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2012-09-15 18:55:03 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
HighAuthentication
NoneConfidentiality
PartialIntegrity
NoneAvailability
NoneAV:N/AC:H/Au:N/C:P/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 7.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Application | Chrome | All | All | All | All | |
| Application | Mozilla | Firefox | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| ssl - CRIME - How to beat the BEAST successor? - IT Security | af854a3a-2127-422b-91ae-364da2661108 | security.stackexchange.com | |
| [SECURITY] Fedora 18 Update: mingw-openssl-1.0.1e-1.fc18 | af854a3a-2127-422b-91ae-364da2661108 | lists.fedoraproject.org | |
| ekoparty Security Conference | af854a3a-2127-422b-91ae-364da2661108 | www.ekoparty.org | |
| openSUSE-SU-2013:0157-1: moderate: libqt4: security fixes for XMLHttpReq | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| Issue 10825183: net: disable TLS compression with OpenSSL. - Code Review | af854a3a-2127-422b-91ae-364da2661108 | chromiumcodereview.appspot.com | |
| The perfect CRIME? New HTTPS web hijack attack explained • The Register | af854a3a-2127-422b-91ae-364da2661108 | www.theregister.co.uk | |
| Debian -- Security Information -- DSA-2579-1 apache2 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Google disables compression for OpenSSL in Chrome - SSL exploit coming? | Hacker News | af854a3a-2127-422b-91ae-364da2661108 | news.ycombinator.com | |
| TLS Protocol CVE-2012-4929 Information Disclosure Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| openSUSE-SU-2012:1420-1: moderate: update for libqt4 | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| USN-1627-1: Apache HTTP Server vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| About the security content of OS X Mountain Lion v10.8.4 and Security Update 2013-002 | af854a3a-2127-422b-91ae-364da2661108 | support.apple.com | |
| Compression and Information Leakage of Plaintext | af854a3a-2127-422b-91ae-364da2661108 | www.iacr.org | |
| Bug 857051 – CVE-2012-4929 SSL/TLS CRIME attack against HTTPS | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| CRIME: Information Leakage Attack against SSL/TLS | Qualys Security Labs | Qualys Community | af854a3a-2127-422b-91ae-364da2661108 | community.qualys.com | |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | |
| Crack in Internet’s foundation of trust allows HTTPS session hijacking | Ars Technica | af854a3a-2127-422b-91ae-364da2661108 | arstechnica.com | |
| New Attack Uses SSL/TLS Information Leak to Hijack HTTPS Sessions | threatpost | af854a3a-2127-422b-91ae-364da2661108 | threatpost.com | |
| It's not a crime to build a CRIME | af854a3a-2127-422b-91ae-364da2661108 | gist.github.com | |
| Debian -- Security Information -- DSA-2627-1 nginx | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002 | af854a3a-2127-422b-91ae-364da2661108 | lists.apple.com | |
| USN-1628-1: Qt vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| '[security bulletin] HPSBUX02866 SSRT101139 rev.1 - HP-UX Running Apache, Remote Denial of Service (D' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Details on the “CRIME” attack - Blog - iSEC Partners | af854a3a-2127-422b-91ae-364da2661108 | isecpartners.com | |
| openSUSE-SU-2013:0143-1: moderate: libqt4: security fixes for XMLHttpReq | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| JVNDB-2016-000129 - JVN iPedia | af854a3a-2127-422b-91ae-364da2661108 | jvndb.jvn.jp | |
| USN-1898-1: OpenSSL vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| 139744 - chromium - An open-source project to help move the web forward. - Monorail | af854a3a-2127-422b-91ae-364da2661108 | code.google.com | |
| JVN#65273415: Android OS issue where it is affected by the CRIME attack | af854a3a-2127-422b-91ae-364da2661108 | jvn.jp | |
| Demo of the CRIME TLS Attack | threatpost | af854a3a-2127-422b-91ae-364da2661108 | threatpost.com | |
| GitHub - mpgn/CRIME-poc: CRIME attack PoC : a compression oracle attacks CVE-2012-4929 | af854a3a-2127-422b-91ae-364da2661108 | github.com | |
| Debian -- Security Information -- DSA-3253-1 pound | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions | threatpost | af854a3a-2127-422b-91ae-364da2661108 | threatpost.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.