Auth bypass in Gnome Libsoup

CVE-2012-2132

libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.

Vulnerability class: Broken Authentication

EPSS: 0.003 (49.3th percentile) — read the EPSS interpretation.

Affected products

Gnome Libsoup — versions 2.32.2
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

[oss-security] 20120424 Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification (mailing-list, x_refsource_MLIST)
53232 (vdb-entry, x_refsource_BID)
[oss-security] 20120424 CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification (mailing-list, x_refsource_MLIST)
[oss-security] 20120430 Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification (mailing-list, x_refsource_MLIST)
libsoup-ssl-poofing(75167) (vdb-entry, x_refsource_XF)
[oss-security] 20120502 Re: CVE Request: libsoup 2.32.2 sets ssl trusted flag despite no verification (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_CONFIRM)