Published: 18/01/2014 Updated: 09/10/2018

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) prior to 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle malicious users to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla network security services 3.12.1
mozilla network security services 3.12.10
mozilla network security services 3.12.5
mozilla network security services 3.12.6
mozilla network security services 3.12.7
mozilla network security services 3.14.4
mozilla network security services 3.14.5
mozilla network security services 3.3
mozilla network security services 3.3.1
mozilla network security services 3.6.1
mozilla network security services 3.7
mozilla network security services 3.7.1
mozilla network security services 3.11.2
mozilla network security services 3.12.11
mozilla network security services 3.12.2
mozilla network security services 3.12.8
mozilla network security services 3.12.9
mozilla network security services 3.15
mozilla network security services 3.15.1
mozilla network security services 3.3.2
mozilla network security services 3.4
mozilla network security services 3.7.2
mozilla network security services 3.7.3
mozilla network security services 3.11.3
mozilla network security services 3.11.4
mozilla network security services 3.12.3
mozilla network security services 3.12.3.1
mozilla network security services 3.14
mozilla network security services 3.14.1
mozilla network security services 3.15.2
mozilla network security services
mozilla network security services 3.4.1
mozilla network security services 3.4.2
mozilla network security services 3.7.5
mozilla network security services 3.7.7
mozilla network security services 3.11.5
mozilla network security services 3.12
mozilla network security services 3.12.3.2
mozilla network security services 3.12.4
mozilla network security services 3.14.2
mozilla network security services 3.14.3
mozilla network security services 3.2
mozilla network security services 3.2.1
mozilla network security services 3.5
mozilla network security services 3.6
mozilla network security services 3.8
mozilla network security services 3.9

NSS could be made to expose sensitive information over the network ...

A flaw was found in the way TLS False Start was implemented in NSS An attacker could use this flaw to potentially return unencrypted information from the server ...

CWE-310 https://bugs.gentoo.org/show_bug.cgi?id=498172 https://bugzilla.mozilla.org/show_bug.cgi?id=919877 https://bugzilla.redhat.com/show_bug.cgi?id=1053725 https://developer.mozilla.org/docs/NSS/NSS_3.15.4_release_notes http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html http://www.ubuntu.com/usn/USN-2088-1 http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.vmware.com/security/advisories/VMSA-2014-0012.html http://seclists.org/fulldisclosure/2014/Dec/23 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.securityfocus.com/bid/64944 https://exchange.xforce.ibmcloud.com/vulnerabilities/90394 http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html http://www.securityfocus.com/archive/1/534161/100/0/threaded https://usn.ubuntu.com/2088-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2013-1740

CVE-2013-1740

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect