CVE-2012-2132

libsoup 2.32.2 and earlier does not validate certificates or clear the trust flag when the ssl-ca-file does not exist, which allows remote attackers to bypass authentication by connecting with a SSL connection.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Libsoup	Gnome	2.32.2 (including)	2.32.2 (including)
Libsoup2.4	Ubuntu	devel	*
Libsoup2.4	Ubuntu	hardy	*
Libsoup2.4	Ubuntu	lucid	*
Libsoup2.4	Ubuntu	natty	*
Libsoup2.4	Ubuntu	oneiric	*
Libsoup2.4	Ubuntu	precise	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://www.openwall.com/lists/oss-security/2012/04/24/13
http://www.openwall.com/lists/oss-security/2012/04/24/3
http://www.openwall.com/lists/oss-security/2012/04/30/7
http://www.openwall.com/lists/oss-security/2012/05/02/8
http://www.securityfocus.com/bid/53232
https://bugzilla.gnome.org/show_bug.cgi?id=666280
https://exchange.xforce.ibmcloud.com/vulnerabilities/75167

NVD	https://nvd.nist.gov/vuln/detail/CVE-2012-2132
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References