製品・ソフトウェアに関する情報

JVN脆弱性詳細

Gnome Online Accounts における重要な情報を取得される脆弱性

Title	Gnome Online Accounts における重要な情報を取得される脆弱性
Summary	Gnome Online Accounts (GOA) は、libsoup ライブラリを使用するプロバイダのためにアカウントを作成する際、SSL 証明書を適切に検証しないため、認証情報などの重要な情報を取得される脆弱性が存在します。本問題は、CVE-2013-0240 の修正が不完全だったことによる問題です。
Possible impacts	中間者攻撃により、ネットワークを傍受されることで、認証情報などの重要な情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 25, 2013, midnight
Registration Date	April 3, 2013, 5:14 p.m.
Last Update	April 3, 2013, 5:14 p.m.

Affected System

GNOME Project

GNOME Online Accounts 3.6.3 未満の 3.6.x

GNOME Online Accounts 3.7.91 未満の 3.7.x

Canonical

Ubuntu 11.10

Ubuntu 12.04 LTS

Ubuntu 12.10

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1799	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1799
National Vulnerability Database (NVD)
2	CVE-2013-1799	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1799

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
GNOME
1	GNOME Online Accounts 3.6.3 released	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
2	GNOME Online Accounts 3.7.91 released	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00020.html
3	Guard against invalid SSL certificates	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8
GNOME Bugzilla
4	Bug 693214	https://bugzilla.gnome.org/show_bug.cgi?id=693214
5	Bug 695106	https://bugzilla.gnome.org/show_bug.cgi?id=695106
opensuse-security-announce
6	openSUSE-SU-2013:0301	http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
Ubuntu Security Notice
7	USN-1779-1	http://ubuntu.com/usn/usn-1779-1

Change Log

No	Changed Details	Date of change
0	[2013年04月03日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1799

Summary	Gnome Online Accounts (GOA) 3.6.x before 3.6.3 and 3.7.x before 3.7.91, does not properly validate SSL certificates when creating accounts for providers who use the libsoup library, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network. NOTE: this issue exists because of an incomplete fix for CVE-2013-0240.
Publication Date	April 2, 2013, 12:23 p.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:gnome:gnome_online_accounts:3.6.0:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.6.2:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.6.1:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:gnome:gnome_online_accounts:3.7.3:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.4:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.90:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.2:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
2	http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
3	http://secunia.com/advisories/51976	Vendor Advisory
4	http://secunia.com/advisories/51976	Vendor Advisory
5	http://secunia.com/advisories/52791	Vendor Advisory
6	http://secunia.com/advisories/52791	Vendor Advisory
7	http://ubuntu.com/usn/usn-1779-1
8	http://ubuntu.com/usn/usn-1779-1
9	https://bugzilla.gnome.org/show_bug.cgi?id=693214
10	https://bugzilla.gnome.org/show_bug.cgi?id=693214
11	https://bugzilla.gnome.org/show_bug.cgi?id=695106
12	https://bugzilla.gnome.org/show_bug.cgi?id=695106
13	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8
14	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=9cf4bc0ced2c53bcdd36922caa65afc8a167bbd8
15	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
16	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
17	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00020.html
18	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00020.html

Common Vulnerabilities List