The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
References
Link Providers
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ cve-icon cve-icon
http://code.google.com/p/chromium/issues/detail?id=139744 cve-icon cve-icon
http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html cve-icon cve-icon
http://jvn.jp/en/jp/JVN65273415/index.html cve-icon cve-icon
http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000129.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136612293908376&w=2 cve-icon cve-icon
http://news.ycombinator.com/item?id=4510829 cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0587.html cve-icon cve-icon
http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor cve-icon cve-icon
http://support.apple.com/kb/HT5784 cve-icon cve-icon
http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312 cve-icon cve-icon
http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512 cve-icon cve-icon
http://www.debian.org/security/2012/dsa-2579 cve-icon cve-icon
http://www.debian.org/security/2013/dsa-2627 cve-icon cve-icon
http://www.debian.org/security/2015/dsa-3253 cve-icon cve-icon
http://www.ekoparty.org/2012/thai-duong.php cve-icon cve-icon
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091 cve-icon cve-icon
http://www.securityfocus.com/bid/55704 cve-icon cve-icon
http://www.theregister.co.uk/2012/09/14/crime_tls_attack/ cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1627-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1628-1 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1898-1 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=857051 cve-icon cve-icon
https://chromiumcodereview.appspot.com/10825183 cve-icon cve-icon
https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls cve-icon cve-icon
https://gist.github.com/3696912 cve-icon cve-icon
https://github.com/mpgn/CRIME-poc cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2012-4929 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18920 cve-icon cve-icon
https://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2012-4929 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-09-15T18:00:00

Updated: 2024-08-06T20:50:18.019Z

Reserved: 2012-09-15T00:00:00

Link: CVE-2012-4929

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-09-15T18:55:03.187

Modified: 2024-11-21T01:43:46.407

Link: CVE-2012-4929

cve-icon Redhat

Severity : Moderate

Publid Date: 2012-09-13T00:00:00Z

Links: CVE-2012-4929 - Bugzilla