Miggo Logo
Miggo Vulnerability Database
CVE-2012-3446

CVE-2012-3446: Apache Libcloud vulnerable to certificate impersonation

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2012-3446
GHSA ID
GHSA-prcq-52f8-fp44
EPSS Score
0.55862%
CWE
CWE-295
Published
5/17/2022
Updated
9/5/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-libcloudpip< 0.11.10.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the regex pattern in _verify_hostname() that validated certificate hostnames. The original regex didn't use ^/$ anchors, allowing subdomains/suffixes to match incorrectly (e.g., 'evil.example.com' matching '*.com'). The commit f2af550 explicitly adds these anchors to the regex in this function, and the accompanying test cases demonstrate stricter validation. The CWE-185 (regex) and CWE-295 (cert validation) mappings directly align with this function's flawed implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Li**lou* ***or* *.**.* us*s *n in*orr**t r**ul*r *xpr*ssion *urin* v*ri*i**tion o* w**t**r t** s*rv*r *ostn*m* m*t***s * *om*in n*m* in t** su*j**t's *ommon N*m* (*N) or su*j**t*ltN*m* *i*l* o* t** X.*** **rti*i**t*, w*i** *llows m*n-in-t**-mi

Reasoning

T** vuln*r**ility st*ms *rom t** r***x p*tt*rn in _v*ri*y_*ostn*m*() t**t v*li**t** **rti*i**t* *ostn*m*s. T** ori*in*l r***x *i*n't us* ^/$ *n**ors, *llowin* su**om*ins/su**ix*s to m*t** in*orr**tly (*.*., '*vil.*x*mpl*.*om' m*t**in* '*.*om'). T** *