Published: 25/03/2014 Updated: 09/10/2018

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) prior to 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle malicious users to spoof SSL servers via a crafted certificate.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla network security services 3.15.3.1
mozilla network security services 3.12
mozilla network security services 3.12.1
mozilla network security services 3.12.4
mozilla network security services 3.12.5
mozilla network security services 3.14.3
mozilla network security services 3.14.4
mozilla network security services 3.2.1
mozilla network security services 3.3
mozilla network security services 3.6
mozilla network security services 3.6.1
mozilla network security services 3.7
mozilla network security services 3.11.4
mozilla network security services 3.11.5
mozilla network security services 3.12.3.1
mozilla network security services 3.9
mozilla network security services 3.12.3.2
mozilla network security services 3.14.1
mozilla network security services 3.14.2
mozilla network security services 3.15.3
mozilla network security services 3.2
mozilla network security services 3.4.2
mozilla network security services 3.5
mozilla network security services 3.7.7
mozilla network security services 3.8
mozilla network security services
mozilla network security services 3.15.4
mozilla network security services 3.12.10
mozilla network security services 3.12.11
mozilla network security services 3.12.6
mozilla network security services 3.12.7
mozilla network security services 3.12.8
mozilla network security services 3.14.5
mozilla network security services 3.15
mozilla network security services 3.3.1
mozilla network security services 3.3.2
mozilla network security services 3.7.1
mozilla network security services 3.7.2
mozilla network security services 3.11.2
mozilla network security services 3.11.3
mozilla network security services 3.12.2
mozilla network security services 3.12.3
mozilla network security services 3.12.9
mozilla network security services 3.14
mozilla network security services 3.15.1
mozilla network security services 3.15.2
mozilla network security services 3.4
mozilla network security services 3.4.1
mozilla network security services 3.7.3
mozilla network security services 3.7.5

Firefox could be made to crash or run programs as your login if it opened a malicious website ...

NSS could be made to expose sensitive information over the network ...

Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library: CVE-2013-1741 Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls CVE-2013-5606 Certificate validation with the verifylog mode did not return validation errors, but instead ...

Mozilla Foundation Security Advisory 2014-45 Incorrect IDNA domain name matching for wildcard certificates Announced April 29, 2014 Reporter Christian Heimes Impact Moderate Products Firefox, SeaMonkey Fixed in ...

CWE-20 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes https://bugzilla.redhat.com/show_bug.cgi?id=1079851 https://bugzilla.mozilla.org/show_bug.cgi?id=903885 https://hg.mozilla.org/projects/nss/rev/709d4e597979 http://www.ubuntu.com/usn/USN-2159-1 http://www.mozilla.org/security/announce/2014/mfsa2014-45.html http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html http://www.ubuntu.com/usn/USN-2185-1 http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html http://secunia.com/advisories/59866 http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html http://www.vmware.com/security/advisories/VMSA-2014-0012.html http://seclists.org/fulldisclosure/2014/Dec/23 http://www.debian.org/security/2014/dsa-2994 http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.securityfocus.com/bid/66356 https://security.gentoo.org/glsa/201504-01 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://secunia.com/advisories/60794 http://secunia.com/advisories/60621 http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html http://www.securityfocus.com/archive/1/534161/100/0/threaded https://nvd.nist.gov https://usn.ubuntu.com/2185-1/

CVE-2014-1492

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect