Weekly Vulnerabilities Reports > October 29 to November 4, 2012
Overview
6 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 8 products from 8 vendors including Apache, Mozilla, Canonical, Amazon, and Lynx. Vulnerabilities are notably categorized as and "Improper Certificate Validation".
- 6 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 6 reported vulnerabilities are exploitable by an anonymous user.
- Apache has the most reported vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
0 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|
3 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-11-04 | CVE-2012-5822 | Mozilla | Improper Certificate Validation vulnerability in Mozilla Zamboni The contribution feature in Zamboni does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python urllib2 library. | 7.4 |
2012-11-04 | CVE-2012-5819 | Filesanywhere | Improper Certificate Validation vulnerability in Filesanywhere FilesAnywhere does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 7.4 |
2012-11-04 | CVE-2012-5817 | Amazon Codehaus | Improper Certificate Validation vulnerability in multiple products Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 7.4 |
3 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-11-04 | CVE-2012-5821 | Lynx Canonical | Improper Certificate Validation vulnerability in multiple products Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function. | 5.9 |
2012-11-04 | CVE-2012-5810 | Jpmorganchase | Improper Certificate Validation vulnerability in Jpmorganchase Chase Mobile The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default X509TrustManager. | 5.9 |
2012-11-04 | CVE-2012-3446 | Apache | Improper Certificate Validation vulnerability in Apache Libcloud Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate. | 5.9 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|