4.3

CVE-2014-1492

Exploit
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MozillaNetwork Security Services Version <= 3.15.5
MozillaNetwork Security Services Version3.12.3.1
MozillaNetwork Security Services Version3.12.3.2
MozillaNetwork Security Services Version3.12.10
MozillaNetwork Security Services Version3.12.11
MozillaNetwork Security Services Version3.15.3.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.77% 0.752
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://security.gentoo.org/glsa/201504-01
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.debian.org/security/2014/dsa-2994
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
http://secunia.com/advisories/59866
http://secunia.com/advisories/60621
http://secunia.com/advisories/60794
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
http://www.securityfocus.com/bid/66356
http://www.ubuntu.com/usn/USN-2159-1
http://www.ubuntu.com/usn/USN-2185-1
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
https://bugzilla.redhat.com/show_bug.cgi?id=1079851
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
https://hg.mozilla.org/projects/nss/rev/709d4e597979
Patch
Exploit