This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Mozilla First view 2006-09-15
Product Network Security Services Last view 2020-10-22
Version 3.1.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:mozilla:network_security_services

Activity : Overall

Related : CVE

  Date Alert Description
7.5 2020-10-22 CVE-2019-17007

In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.

6.5 2020-10-22 CVE-2018-18508

In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.

7.5 2020-10-20 CVE-2020-25648

A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.

5.9 2019-05-02 CVE-2018-12404

A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.

5.9 2019-04-29 CVE-2018-12384

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

5.9 2018-08-01 CVE-2016-8635

It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.

5.9 2018-07-19 CVE-2016-9574

nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.

5.3 2018-06-11 CVE-2017-5462

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

9.8 2017-05-10 CVE-2017-5461

Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.

8.8 2016-06-13 CVE-2016-2834

Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.

8.8 2016-03-13 CVE-2016-1979

Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.

7.3 2016-03-13 CVE-2016-1978

Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.

5.9 2016-01-08 CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

7.5 2015-11-05 CVE-2015-7183

Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.

9.8 2015-11-05 CVE-2015-7182

Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.

7.5 2015-11-05 CVE-2015-7181

The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue.

7.5 2014-12-15 CVE-2014-1569

The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.

4.3 2014-03-25 CVE-2014-1492

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

4.3 2014-02-06 CVE-2014-1491

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

9.3 2014-02-06 CVE-2014-1490

Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.

5.8 2014-01-18 CVE-2013-1740

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

5 2013-10-22 CVE-2013-1739

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.

5 2012-06-05 CVE-2012-0441

The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.

6.8 2007-02-26 CVE-2007-0009

Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.

4 2006-09-15 CVE-2006-4340

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3, does not properly handle extra data in a signature, which allows remote attackers to forge signatures for SSL/TLS and email certificates, a similar vulnerability to CVE-2006-4339. NOTE: on 20061107, Mozilla released an advisory stating that these versions were not completely patched by MFSA2006-60. The newer fixes for 1.5.0.7 are covered by CVE-2006-5462.

CWE : Common Weakness Enumeration

%idName
25% (5) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
10% (2) CWE-20 Improper Input Validation
5% (1) CWE-787 Out-of-bounds Write
5% (1) CWE-770 Allocation of Resources Without Limits or Throttling
5% (1) CWE-682 Incorrect Calculation
5% (1) CWE-476 NULL Pointer Dereference
5% (1) CWE-384 Session Fixation
5% (1) CWE-362 Race Condition
5% (1) CWE-335 PRNG Seed Error
5% (1) CWE-326 Inadequate Encryption Strength
5% (1) CWE-320 Key Management Errors
5% (1) CWE-310 Cryptographic Issues
5% (1) CWE-295 Certificate Issues
5% (1) CWE-189 Numeric Errors
5% (1) CWE-19 Data Handling

Open Source Vulnerability Database (OSVDB)

id Description
32106 Mozilla Network Security Services SSLv2 Server Remote Overflow
29013 Mozilla Multiple Products NSS Library RSA Exponent 3 Signature Forgery

OpenVAS Exploits

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2012-12-13 Name : SuSE Update for MozillaFirefox, openSUSE-SU-2012:0760-1 (MozillaFirefox,)
File : nvt/gb_suse_2012_0760_1.nasl
2012-11-16 Name : VMSA-2012-0016: VMware security updates for vSphere API and ESX Service Console
File : nvt/gb_VMSA-2012-0016.nasl
2012-08-24 Name : Ubuntu Update for nss USN-1540-2
File : nvt/gb_ubuntu_USN_1540_2.nasl
2012-08-17 Name : Ubuntu Update for nss USN-1540-1
File : nvt/gb_ubuntu_USN_1540_1.nasl
2012-08-10 Name : Debian Security Advisory DSA 2490-1 (nss)
File : nvt/deb_2490_1.nasl
2012-08-10 Name : FreeBSD Ports: firefox
File : nvt/freebsd_firefox68.nasl
2012-08-03 Name : Mandriva Update for mozilla MDVSA-2012:088 (mozilla)
File : nvt/gb_mandriva_MDVSA_2012_088.nasl
2012-07-30 Name : CentOS Update for nspr CESA-2012:1090 centos5
File : nvt/gb_CESA-2012_1090_nspr_centos5.nasl
2012-07-30 Name : CentOS Update for nspr CESA-2012:1091 centos6
File : nvt/gb_CESA-2012_1091_nspr_centos6.nasl
2012-07-19 Name : RedHat Update for nss and nspr RHSA-2012:1090-01
File : nvt/gb_RHSA-2012_1090-01_nss_and_nspr.nasl
2012-07-19 Name : RedHat Update for nss, nspr, and nss-util RHSA-2012:1091-01
File : nvt/gb_RHSA-2012_1091-01_nss_nspr_and_nss-util.nasl
2012-06-28 Name : Ubuntu Update for thunderbird USN-1463-6
File : nvt/gb_ubuntu_USN_1463_6.nasl
2012-06-25 Name : Ubuntu Update for thunderbird USN-1463-4
File : nvt/gb_ubuntu_USN_1463_4.nasl
2012-06-25 Name : Mandriva Update for mozilla MDVSA-2012:088-1 (mozilla)
File : nvt/gb_mandriva_MDVSA_2012_088_1.nasl
2012-06-22 Name : Ubuntu Update for firefox USN-1463-3
File : nvt/gb_ubuntu_USN_1463_3.nasl
2012-06-19 Name : Mozilla Products Multiple Vulnerabilities - June12 (Windows)
File : nvt/gb_mozilla_prdts_mult_vuln_jun12_win.nasl
2012-06-19 Name : Mozilla Products Multiple Vulnerabilities - June12 (Mac OS X)
File : nvt/gb_mozilla_prdts_mult_vuln_jun12_macosx.nasl
2012-06-08 Name : Ubuntu Update for firefox USN-1463-1
File : nvt/gb_ubuntu_USN_1463_1.nasl
2009-10-10 Name : SLES9: Security update for Mozilla suite
File : nvt/sles9p5012115.nasl
2009-04-09 Name : Mandriva Update for mozilla-firefox MDKSA-2007:050-1 (mozilla-firefox)
File : nvt/gb_mandriva_MDKSA_2007_050_1.nasl
2009-04-09 Name : Mandriva Update for mozilla-firefox MDKSA-2007:050 (mozilla-firefox)
File : nvt/gb_mandriva_MDKSA_2007_050.nasl
2009-04-09 Name : Mandriva Update for mozilla-thunderbird MDKSA-2007:052 (mozilla-thunderbird)
File : nvt/gb_mandriva_MDKSA_2007_052.nasl
2009-03-23 Name : Ubuntu Update for mozilla-thunderbird vulnerabilities USN-431-1
File : nvt/gb_ubuntu_USN_431_1.nasl
2009-03-23 Name : Ubuntu Update for firefox regression USN-428-2
File : nvt/gb_ubuntu_USN_428_2.nasl
2009-03-23 Name : Ubuntu Update for firefox vulnerabilities USN-428-1
File : nvt/gb_ubuntu_USN_428_1.nasl

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0154 Multiple Vulnerabilities in Oracle Fusion Middleware
Severity: Category I - VMSKEY: V0061081
2014-A-0021 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0043921
2014-A-0009 Multiple Vulnerabilities in Oracle Fusion Middleware
Severity: Category I - VMSKEY: V0043395
2012-A-0189 Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1
Severity: Category I - VMSKEY: V0035032

Snort® IPS/IDS

Date Description
2014-01-10 Mozilla Network Security Services SSLv2 stack overflow attempt
RuleID : 11672 - Type : BROWSER-OTHER - Revision : 8

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-10 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10917_184R1.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-1a7a5c54c2.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-2575edf8d3.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a78b2ef820.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-c72d2d89ec.nasl - Type: ACT_GATHER_INFO
2018-12-04 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2018-337-01.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2018-2898.nasl - Type: ACT_GATHER_INFO
2018-11-07 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1366.nasl - Type: ACT_GATHER_INFO
2018-11-06 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1358.nasl - Type: ACT_GATHER_INFO
2018-10-26 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1095.nasl - Type: ACT_GATHER_INFO
2018-10-25 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1095.nasl - Type: ACT_GATHER_INFO
2018-10-10 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-2898.nasl - Type: ACT_GATHER_INFO
2018-10-01 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-2768.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-4a21a8ca59.nasl - Type: ACT_GATHER_INFO
2018-02-20 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201802-03.nasl - Type: ACT_GATHER_INFO
2018-01-15 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201801-15.nasl - Type: ACT_GATHER_INFO
2017-10-24 Name: The remote AIX host has a version of bind installed that is affected by multi...
File: aix_bind_nettcp_advisory2.nasl - Type: ACT_GATHER_INFO
2017-08-23 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2017-2235-1.nasl - Type: ACT_GATHER_INFO
2017-07-13 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-1100.nasl - Type: ACT_GATHER_INFO
2017-06-27 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2017-1669-1.nasl - Type: ACT_GATHER_INFO
2017-06-21 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201706-18.nasl - Type: ACT_GATHER_INFO
2017-06-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3872.nasl - Type: ACT_GATHER_INFO
2017-05-22 Name: The remote Debian host is missing a security update.
File: debian_DLA-946.nasl - Type: ACT_GATHER_INFO
2017-05-17 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-3278-1.nasl - Type: ACT_GATHER_INFO
2017-05-12 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL15479471.nasl - Type: ACT_GATHER_INFO