Weekly Vulnerabilities Reports > October 29 to November 4, 2012

Overview

6 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 8 products from 8 vendors including Apache, Mozilla, Canonical, Amazon, and Lynx. Vulnerabilities are notably categorized as and "Improper Certificate Validation".

  • 6 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 6 reported vulnerabilities are exploitable by an anonymous user.
  • Apache has the most reported vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-11-04 CVE-2012-5822 Mozilla Improper Certificate Validation vulnerability in Mozilla Zamboni

The contribution feature in Zamboni does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python urllib2 library.

7.4
2012-11-04 CVE-2012-5819 Filesanywhere Improper Certificate Validation vulnerability in Filesanywhere

FilesAnywhere does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

7.4
2012-11-04 CVE-2012-5817 Amazon
Codehaus
Improper Certificate Validation vulnerability in multiple products

Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

7.4

3 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-11-04 CVE-2012-5821 Lynx
Canonical
Improper Certificate Validation vulnerability in multiple products

Lynx does not verify that the server's certificate is signed by a trusted certification authority, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate, related to improper use of a certain GnuTLS function.

5.9
2012-11-04 CVE-2012-5810 Jpmorganchase Improper Certificate Validation vulnerability in Jpmorganchase Chase Mobile

The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default X509TrustManager.

5.9
2012-11-04 CVE-2012-3446 Apache Improper Certificate Validation vulnerability in Apache Libcloud

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

5.9

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS