NVD Vulnerability Detail

CVE-2013-0240

Summary	Gnome Online Accounts (GOA) 3.4.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.5, does not properly validate SSL certificates when creating accounts such as Windows Live and Facebook accounts, which allows man-in-the-middle attackers to obtain sensitive information such as credentials by sniffing the network.
Publication Date	April 2, 2013, 12:22 p.m.
Registration Date	Jan. 26, 2021, 3:33 p.m.
Last Update	Nov. 21, 2024, 10:47 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:gnome:gnome_online_accounts:3.4.1:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.4.0:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:gnome:gnome_online_accounts:3.6.0:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.6.2:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.6.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:gnome:gnome_online_accounts:3.7.3:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.4:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.2:::::::*
cpe:2.3:a:gnome:gnome_online_accounts:3.7.1:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
2	http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
3	http://secunia.com/advisories/51976	Vendor Advisory
4	http://secunia.com/advisories/51976	Vendor Advisory
5	http://secunia.com/advisories/52791	Vendor Advisory
6	http://secunia.com/advisories/52791	Vendor Advisory
7	http://ubuntu.com/usn/usn-1779-1
8	http://ubuntu.com/usn/usn-1779-1
9	https://bugzilla.gnome.org/show_bug.cgi?id=693214
10	https://bugzilla.gnome.org/show_bug.cgi?id=693214
11	https://bugzilla.redhat.com/show_bug.cgi?id=894352
12	https://bugzilla.redhat.com/show_bug.cgi?id=894352
13	https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1
14	https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1
15	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f
16	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f
17	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e
18	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e
19	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
20	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-310	暗号の問題	https://cwe.mitre.org/data/definitions/310.html

JVN Vulnerability Information

Gnome Online Accounts における重要な情報を取得される脆弱性

Title	Gnome Online Accounts における重要な情報を取得される脆弱性
Summary	Gnome Online Accounts は、Windows Live や Facebook などのアカウントを作成する際、SSL 証明書を適切に検証しないため、認証情報などの重要な情報を取得される脆弱性が存在します。
Possible impacts	中間者攻撃により、ネットワークを傍受されることで、認証情報などの重要な情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 25, 2013, midnight
Registration Date	April 3, 2013, 5:13 p.m.
Last Update	April 3, 2013, 5:13 p.m.

Affected System

GNOME Project

GNOME Online Accounts 3.4.x

GNOME Online Accounts 3.6.3 未満の 3.6.x

GNOME Online Accounts 3.7.5 未満の 3.7.x

Canonical

Ubuntu 11.10

Ubuntu 12.04 LTS

Ubuntu 12.10

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-0240	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0240
National Vulnerability Database (NVD)
2	CVE-2013-0240	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0240

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
GNOME
1	GNOME Online Accounts 3.6.3 released	https://mail.gnome.org/archives/gnome-announce-list/2013-March/msg00007.html
2	Guard against invalid SSL certificates 2013-02-05	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=edde7c63326242a60a075341d3fea0be0bc4d80e
3	Guard against invalid SSL certificates 2013-03-04	https://git.gnome.org/browse/gnome-online-accounts/commit/?h=gnome-3-6&id=ecad8142e9ac519b9fc74b96dcb5531052bbffe1
4	Prepare 3.7.5	https://git.gnome.org/browse/gnome-online-accounts/commit/?id=bc10fdb68f75f8be84eb698ada08743b9c7c248f
GNOME Bugzilla
5	Bug 693214	https://bugzilla.gnome.org/show_bug.cgi?id=693214
openSUSE
6	openSUSE-SU-2013:0301	http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html
Red Hat Bugzilla
7	Bug 894352	https://bugzilla.redhat.com/show_bug.cgi?id=894352
Ubuntu Security Notice
8	USN-1779-1	http://www.ubuntu.com/usn/usn-1779-1/

Change Log

No	Changed Details	Date of change
0	[2013年04月03日] 掲載	Feb. 17, 2018, 10:37 a.m.