CVE-2013-0240

Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.gnome.org/show_bug.cgi?id=693214
http://secunia.com/advisories/52791	Vendor Advisory
http://secunia.com/advisories/51976	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=894352
http://ubuntu.com/usn/usn-1779-1
https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1
https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e
https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gnome:gnome_online_accounts:3.4.0:::::::*
	cpe:2.3:a:gnome:gnome_online_accounts:3.4.1:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:gnome:gnome_online_accounts:3.6.0:::::::*
	cpe:2.3:a:gnome:gnome_online_accounts:3.6.1:::::::*
	cpe:2.3:a:gnome:gnome_online_accounts:3.6.2:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:gnome:gnome_online_accounts:3.7.1:::::::*
	cpe:2.3:a:gnome:gnome_online_accounts:3.7.3:::::::*
	cpe:2.3:a:gnome:gnome_online_accounts:3.7.2:::::::*
	cpe:2.3:a:gnome:gnome_online_accounts:3.7.4:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*

Information

Published : 2013-04-01 20:22

Updated : 2013-04-01 21:00

NVD link : CVE-2013-0240

Mitre link : CVE-2013-0240

JSON object : View

CWE

CWE-310

Cryptographic Issues

Products Affected

canonical

ubuntu_linux

gnome

gnome_online_accounts

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.gnome.org/show_bug.cgi?id=693214", "name": "https://bugzilla.gnome.org/show_bug.cgi?id=693214", "tags": [], "refsource": "CONFIRM"}, {"url": "http://secunia.com/advisories/52791", "name": "52791", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://secunia.com/advisories/51976", "name": "51976", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=894352", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=894352", "tags": [], "refsource": "MISC"}, {"url": "http://ubuntu.com/usn/usn-1779-1", "name": "USN-1779-1", "tags": [], "refsource": "UBUNTU"}, {"url": "https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1", "name": "https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1", "tags": [], "refsource": "CONFIRM"}, {"url": "https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e", "name": "https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e", "tags": [], "refsource": "CONFIRM"}, {"url": "https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html", "name": "[gnome-announce-list] 20130304 GNOME Online Accounts 3.6.3 released", "tags": [], "refsource": "MLIST"}, {"url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html", "name": "openSUSE-SU-2013:0301", "tags": [], "refsource": "SUSE"}, {"url": "https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f", "name": "https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-310"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-0240", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-04-02T03:22Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.6.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.7.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnome:gnome_online_accounts:3.7.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2013-04-02T04:00Z"}

4.3 /10