CVE-2012-2499

2022-10-0316:15:37

CWE-310

[email protected]

web.nvd.nist.gov

cisco

anyconnect

secure mobility client

ipsec

x.509 certificate

man-in-the-middle attack

bug id csctz26985

cve-2012-2499

6.4 Medium

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

27.7%

JSON

The IPsec implementation in Cisco AnyConnect Secure Mobility Client 3.0 before 3.0.08057 does not verify the certificate name in an X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate, aka Bug ID CSCtz26985.

Affected configurations

NVD

Node

ciscoanyconnect_secure_mobility_clientMatch3.0

ciscoanyconnect_secure_mobility_clientMatch3.0.0629

ciscoanyconnect_secure_mobility_clientMatch3.0.07059

CPENameOperatorVersion
cisco:anyconnect_secure_mobility_clientcisco anyconnect secure mobility clienteq3.0
cisco:anyconnect_secure_mobility_clientcisco anyconnect secure mobility clienteq3.0.0629
cisco:anyconnect_secure_mobility_clientcisco anyconnect secure mobility clienteq3.0.07059

CPE	Name	Operator	Version
cisco:anyconnect_secure_mobility_client	cisco anyconnect secure mobility client	eq	3.0
cisco:anyconnect_secure_mobility_client	cisco anyconnect secure mobility client	eq	3.0.0629
cisco:anyconnect_secure_mobility_client	cisco anyconnect secure mobility client	eq	3.0.07059