CVE-2014-1491

high

Description

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

References

https://security.gentoo.org/glsa/201504-01

https://exchange.xforce.ibmcloud.com/vulnerabilities/90886

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www.ubuntu.com/usn/USN-2119-1

http://www.ubuntu.com/usn/USN-2102-2

http://www.ubuntu.com/usn/USN-2102-1

http://www.securitytracker.com/id/1029721

http://www.securitytracker.com/id/1029720

http://www.securitytracker.com/id/1029717

http://www.securityfocus.com/bid/65332

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.mozilla.org/security/announce/2014/mfsa2014-12.html

http://www.debian.org/security/2014/dsa-2994

http://www.debian.org/security/2014/dsa-2858

http://secunia.com/advisories/56922

http://secunia.com/advisories/56888

http://secunia.com/advisories/56858

http://seclists.org/fulldisclosure/2014/Dec/23

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.html

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

http://hg.mozilla.org/projects/nss/rev/12c42006aed8

Details

Source: Mitre, NVD

Published: 2014-02-06

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High