CVE-2010-3900

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before 2.29.91 is used, does not verify X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted server certificate, a related issue to CVE-2010-3312.

References

http://git.xfce.org/apps/midori/tree/ChangeLog

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html

http://secunia.com/advisories/43068

http://www.omgubuntu.co.uk/2010/05/midori-0-2-5-released/

http://www.openwall.com/lists/oss-security/2010/09/17/6

http://www.twotoasts.de/bugs/index.php?do=details&task_id=168

http://www.twotoasts.de/bugs/index.php?do=details&task_id=743

http://www.twotoasts.de/index.php?/archives/30-Validation,-vending-and-Vala.html

http://www.vupen.com/english/advisories/2011/0212

Details

Source: MITRE

Published: 2010-10-14

Updated: 2011-02-17

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (2 total)

IDNameProductFamilySeverity
75629openSUSE Security Update : libwebkit (openSUSE-SU-2011:0024-1)NessusSuSE Local Security Checks
critical
53764openSUSE Security Update : libwebkit (openSUSE-SU-2011:0024-1)NessusSuSE Local Security Checks
critical