Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x before 21.51.546.0, and 22.x before 22.51.549.0 interprets a user's acceptance of one invalid X.509 certificate to mean that all invalid X.509 certificates should be accepted without prompting, which makes it easier for man-in-the-middle attackers to spoof SSL servers and obtain sensitive information via a crafted certificate.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| https://blogs.intel.com/evangelists/2016/07/28/crosswalk-security-vulnerability/ | vendor advisory |
| http://www.securityfocus.com/bid/92199 | third party advisory vdb entry |
| https://wwws.nightwatchcybersecurity.com/2016/07/29/advisory-intel-crosswalk-ssl-prompt-issue | third party advisory |
| https://crosswalk-project.org/jira/browse/XWALK-6986 | permissions required technical description |
| http://packetstormsecurity.com/files/138107/Intel-Crosswalk-Project-Man-In-The-Middle.html | third party advisory vdb entry |
| https://lists.crosswalk-project.org/pipermail/crosswalk-help/2016-July/002167.html | vendor advisory mailing list |
| http://www.securityfocus.com/archive/1/539051/100/0/threaded | mailing list |
| http://www.kb.cert.org/vuls/id/217871 | third party advisory us government resource |