This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Mozilla First view 2013-10-22
Product Network Security Services Last view 2020-10-22
Version 3.15.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:mozilla:network_security_services

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
7.5 2020-10-22 CVE-2019-17007

In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.

6.5 2020-10-22 CVE-2018-18508

In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.

7.5 2020-10-20 CVE-2020-25648

A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.

5.9 2019-05-02 CVE-2018-12404

A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.

5.9 2019-04-29 CVE-2018-12384

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

5.9 2018-08-01 CVE-2016-8635

It was found that Diffie Hellman Client key exchange handling in NSS 3.21.x was vulnerable to small subgroup confinement attack. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group.

5.9 2018-07-19 CVE-2016-9574

nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.

5.3 2018-06-11 CVE-2017-5462

A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox ESR 52.1 has been updated with NSS version 3.28.4. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

9.8 2017-05-10 CVE-2017-5461

Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations.

8.8 2016-06-13 CVE-2016-2834

Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors.

8.8 2016-03-13 CVE-2016-1979

Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.

7.3 2016-03-13 CVE-2016-1978

Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption.

5.9 2016-01-08 CVE-2015-7575

Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in TLS 1.2 Handshake Protocol traffic, which makes it easier for man-in-the-middle attackers to spoof servers by triggering a collision.

7.5 2015-11-05 CVE-2015-7183

Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.

9.8 2015-11-05 CVE-2015-7182

Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.

7.5 2015-11-05 CVE-2015-7181

The sec_asn1d_parse_leaf function in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, improperly restricts access to an unspecified data structure, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data, related to a "use-after-poison" issue.

7.5 2014-12-15 CVE-2014-1569

The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.

10 2014-07-23 CVE-2014-1544

Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.

4.3 2014-03-25 CVE-2014-1492

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

4.3 2014-02-06 CVE-2014-1491

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

9.3 2014-02-06 CVE-2014-1490

Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.

5.8 2014-01-18 CVE-2013-1740

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

5.8 2013-11-18 CVE-2013-5606

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.

7.5 2013-11-18 CVE-2013-5605

Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.

7.5 2013-11-18 CVE-2013-1741

Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.

CWE : Common Weakness Enumeration

%idName
15% (3) CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
10% (2) CWE-189 Numeric Errors
10% (2) CWE-20 Improper Input Validation
5% (1) CWE-787 Out-of-bounds Write
5% (1) CWE-770 Allocation of Resources Without Limits or Throttling
5% (1) CWE-682 Incorrect Calculation
5% (1) CWE-476 NULL Pointer Dereference
5% (1) CWE-384 Session Fixation
5% (1) CWE-362 Race Condition
5% (1) CWE-335 PRNG Seed Error
5% (1) CWE-326 Inadequate Encryption Strength
5% (1) CWE-320 Key Management Errors
5% (1) CWE-310 Cryptographic Issues
5% (1) CWE-295 Certificate Issues
5% (1) CWE-264 Permissions, Privileges, and Access Controls
5% (1) CWE-19 Data Handling

Information Assurance Vulnerability Management (IAVM)

id Description
2015-A-0154 Multiple Vulnerabilities in Oracle Fusion Middleware
Severity: Category I - VMSKEY: V0061081
2014-A-0113 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0053309
2014-A-0021 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0043921
2013-A-0220 Multiple Vulnerabilities in Mozilla Products
Severity: Category I - VMSKEY: V0042380

Nessus® Vulnerability Scanner

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
id Description
2019-01-10 Name: The remote device is affected by multiple vulnerabilities.
File: juniper_space_jsa10917_184R1.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-1a7a5c54c2.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-2575edf8d3.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing a security update.
File: fedora_2018-a78b2ef820.nasl - Type: ACT_GATHER_INFO
2019-01-03 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-c72d2d89ec.nasl - Type: ACT_GATHER_INFO
2018-12-04 Name: The remote Slackware host is missing a security update.
File: Slackware_SSA_2018-337-01.nasl - Type: ACT_GATHER_INFO
2018-11-21 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2018-2898.nasl - Type: ACT_GATHER_INFO
2018-11-07 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1366.nasl - Type: ACT_GATHER_INFO
2018-11-06 Name: The remote EulerOS host is missing a security update.
File: EulerOS_SA-2018-1358.nasl - Type: ACT_GATHER_INFO
2018-10-26 Name: The remote Amazon Linux 2 host is missing a security update.
File: al2_ALAS-2018-1095.nasl - Type: ACT_GATHER_INFO
2018-10-25 Name: The remote Amazon Linux AMI host is missing a security update.
File: ala_ALAS-2018-1095.nasl - Type: ACT_GATHER_INFO
2018-10-10 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-2898.nasl - Type: ACT_GATHER_INFO
2018-10-01 Name: The remote CentOS host is missing one or more security updates.
File: centos_RHSA-2018-2768.nasl - Type: ACT_GATHER_INFO
2018-09-18 Name: The remote Fedora host is missing one or more security updates.
File: fedora_2018-4a21a8ca59.nasl - Type: ACT_GATHER_INFO
2018-02-20 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201802-03.nasl - Type: ACT_GATHER_INFO
2018-01-15 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201801-15.nasl - Type: ACT_GATHER_INFO
2017-10-24 Name: The remote AIX host has a version of bind installed that is affected by multi...
File: aix_bind_nettcp_advisory2.nasl - Type: ACT_GATHER_INFO
2017-08-23 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2017-2235-1.nasl - Type: ACT_GATHER_INFO
2017-07-13 Name: The remote Virtuozzo host is missing a security update.
File: Virtuozzo_VZLSA-2017-1100.nasl - Type: ACT_GATHER_INFO
2017-06-27 Name: The remote SUSE host is missing one or more security updates.
File: suse_SU-2017-1669-1.nasl - Type: ACT_GATHER_INFO
2017-06-21 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-201706-18.nasl - Type: ACT_GATHER_INFO
2017-06-02 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-3872.nasl - Type: ACT_GATHER_INFO
2017-05-22 Name: The remote Debian host is missing a security update.
File: debian_DLA-946.nasl - Type: ACT_GATHER_INFO
2017-05-17 Name: The remote Ubuntu host is missing a security-related patch.
File: ubuntu_USN-3278-1.nasl - Type: ACT_GATHER_INFO
2017-05-12 Name: The remote device is missing a vendor-supplied security patch.
File: f5_bigip_SOL15479471.nasl - Type: ACT_GATHER_INFO