7.5

CVE-2014-1569

Exploit

EPSS 3.64%
Veröffentlicht 15.12.2014 18:59:00
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle security@mozilla.org
CVE-Watchlists
Login
Unerledigt
Login

The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 18

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mozilla ≫ Network Security Services Version <= 3.16.2.3

Mozilla ≫ Network Security Services Version3.16.2.0

Mozilla ≫ Network Security Services Version3.16.2.1

Mozilla ≫ Network Security Services Version3.16.2.2

Mozilla ≫ Network Security Services Version3.17.0

Mozilla ≫ Network Security Services Version3.17.1

Mozilla ≫ Network Security Services Version3.17.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.64%	0.874

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00000.html

http://www.debian.org/security/2015/dsa-3186

http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf

Exploit

http://www.securitytracker.com/id/1032909

https://bugzilla.mozilla.org/show_bug.cgi?id=1064670

Exploit

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes

Vendor Advisory

https://www.imperialviolet.org/2014/09/26/pkcs1.html

Exploit

https://www.reddit.com/r/netsec/comments/2hd1m8/rsa_signature_forgery_in_nss/cksnr02

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2014-1569

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-1569

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-1569

EUVD