[Forgot Password]
Login  Register Subscribe

25354

 
 

132804

 
 

134312

 
 

909

 
 

108836

 
 

152

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2014-1492Date: (C)2014-04-21   (M)2019-10-10


The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.3
Exploit Score: 8.6
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality: NONE
Integrity: PARTIAL
Availability: NONE
  
Reference:
http://www.securityfocus.com/archive/1/archive/1/534161/100/0/threaded
http://seclists.org/fulldisclosure/2015/Apr/5
SECUNIA-59866
SECUNIA-60621
SECUNIA-60794
BID-66356
DSA-2994
FEDORA-2014-5829
GLSA-201504-01
SUSE-SU-2014:0665
SUSE-SU-2014:0727
USN-2159-1
USN-2185-1
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
https://bugzilla.redhat.com/show_bug.cgi?id=1079851
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
https://hg.mozilla.org/projects/nss/rev/709d4e597979
openSUSE-SU-2014:0599
openSUSE-SU-2014:0629

CPE    50
cpe:/a:mozilla:network_security_services:3.3.1
cpe:/a:mozilla:network_security_services:3.12.1
cpe:/a:mozilla:network_security_services:3.12.3
cpe:/a:mozilla:network_security_services:3.14.1
...
CWE    1
CWE-20
OVAL    25
oval:org.secpod.oval:def:1200082
oval:org.secpod.oval:def:1200087
oval:org.secpod.oval:def:203361
oval:org.secpod.oval:def:501366
...

© SecPod Technologies