4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
55.1%
Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before
3.7.5, does not properly validate SSL certificates when creating accounts
such as Windows Live and Facebook accounts, which allows man-in-the-middle
attackers to obtain sensitive information such as credentials by sniffing
the network.
Author | Note |
---|---|
mdeslaur | 3.2 in oneiric and 3.4 in precise only have web backends, so the 3.4 patch will work. In 3.6+, more backends are available that may have invalid certs, but are desirable. The 3.7 patch adds a new configuration item, but this changes API. |
jdstrand | note that CVE-2013-1799 is a result of an incomplete fix for this CVE (and pt2 of the patch for 3.6) |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 11.10 | noarch | gnome-online-accounts | <Â 3.2.1-0ubuntu1.1 | UNKNOWN |
ubuntu | 12.04 | noarch | gnome-online-accounts | <Â 3.4.0-0ubuntu1.1 | UNKNOWN |
ubuntu | 12.10 | noarch | gnome-online-accounts | <Â 3.6.0-0ubuntu1.1 | UNKNOWN |