CVE-2012-3458
Description
Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2012-3458 NameCVE-2012-3458 DescriptionBeaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search,โฆ
CVE-2012-3458
| Name | CVE-2012-3458 |
| Description | Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-2541-1 |
| Debian Bugs | 684890 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| beaker (PTS) | bullseye | 1.11.0-1.1 | fixed |
| bookworm | 1.11.0-3 | fixed | |
| trixie | 1.13.0-1 | fixed | |
| forky, sid | 1.13.0-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| beaker | source | squeeze | 1.5.4-4+squeeze1 | DSA-2541-1 | ||
| beaker | source | (unstable) | 1.6.3-1.1 | 684890 |
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.6.3-1.1 |
| sid | Fixed | 1.6.3-1.1 |
| forky | Fixed | 1.6.3-1.1 |
| bullseye | Fixed | 1.6.3-1.1 |
| bookworm | Fixed | 1.6.3-1.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| python | beaker | {"endIncluding":"1.6.4"} | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-3458
- https://github.com/bbangert/beaker/commit/91becae76101cf87ce8cbfabe3af2622fc328fe5
- https://bugzilla.redhat.com/show_bug.cgi?id=809267
- https://github.com/bbangert/beaker
- https://github.com/pypa/advisory-database/tree/main/vulns/beaker/PYSEC-2012-1.yaml
- https://web.archive.org/web/20140724164516/http://secunia.com/advisories/50226
- https://web.archive.org/web/20140725025612/http://secunia.com/advisories/50520
- http://www.debian.org/security/2012/dsa-2541
- http://www.openwall.com/lists/oss-security/2012/08/13/10
- http://secunia.com/advisories/50226
- http://secunia.com/advisories/50520
- https://security-tracker.debian.org/tracker/CVE-2012-3458
CWEs
CWE-310
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.