VDB
CVE-2012-4930
CVE-2012-4930
PUBLISHED
CVSS 2.5999999046325684 LOW
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
EPSS 0.24% · 46.6th percentile
Risk Scores
CVSS v2.0
2.5999999046325684
EPSS Score
0.24%
46.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | * |
| mozilla | firefox | |
| chrome |
Timeline
- Sep 15, 2012 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 17, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 1, 2023 EPSS Score
- May 24, 2023 EPSS Score
References
- http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091 url
- http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312 url
- http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html url
- https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls url
- http://www.theregister.co.uk/2012/09/14/crime_tls_attack/ url
- https://bugzilla.redhat.com/show_bug.cgi?id=857737 url
- http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ url
- SUSE-SU-2012:1351 vendor-advisory
- http://www.ekoparty.org/2012/thai-duong.php url
- https://nvd.nist.gov/vuln/detail/CVE-2012-4930 advisory
- http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions url
- http://www.theregister.co.uk/2012/09/14/crime_tls_attack url