CVE-2016-0818 Information

Feb 14, 2021 cve

Description

The caching functionality in the TrustManagerImpl class in TrustManagerImpl.java in Conscrypt in Android 4.x before 4.4.4 5.x before 5.1.1 LMY49H and 6.x before 2016-03-01 mishandles the distinction between an intermediate CA and a trusted root CA which allows man-in-the-middle attackers to spoof servers by leveraging access to an intermediate CA to issue a certificate aka internal bug 26232830.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://source.android.com/security/bulletin/2016-03-01.html http://www.securityfocus.com/bid/84245 https://android.googlesource.com/platform/external/conscrypt/+/4c9f9c2201116acf790fca25af43995d29980ee0 https://android.googlesource.com/platform/external/conscrypt/+/c4ab1b959280413fb11bf4fd7f6b4c2ba38bd779

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

5.9

Share on: