Executive Summary

Informations
Name CVE-2014-1492 First vendor Publication 2014-03-25
Vendor Cve Last vendor Modification 2018-10-09

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24484
 
Oval ID: oval:org.mitre.oval:def:24484
Title: USN-2159-1 -- nss vulnerability
Description: NSS could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-2159-1
CVE-2014-1492
 Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
 Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24541
 
Oval ID: oval:org.mitre.oval:def:24541
Title: Incorrect IDNA domain name matching for wildcard certificates
Description: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1492
 Version: 11
Platform(s): Microsoft Windows Server 2012 R2
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows 8
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
 Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25341
 
Oval ID: oval:org.mitre.oval:def:25341
Title: SUSE-SU-2014:0665-2 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox update provides several security and non-security fixes. Mozilla Firefox has been updated to the 24.5.0esr version, which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to version 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0665-2
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
 Version: 5
Platform(s): SUSE Linux Enterprise Server 10
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25349
 
Oval ID: oval:org.mitre.oval:def:25349
Title: SUSE-SU-2014:0727-1 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox update provides several security and non-security fixes. MozillaFirefox has been updated to 24.5.0esr, which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0727-1
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
 Version: 5
Platform(s): SUSE Linux Enterprise Server 10
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25501
 
Oval ID: oval:org.mitre.oval:def:25501
Title: SUSE-SU-2014:0665-1 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox and Mozilla NSS update fixes several security and non-security issues. Mozilla Firefox has been updated to 24.5.0esr which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0665-1
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
 Version: 5
Platform(s): SUSE Linux Enterprise Server 11
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26141
 
Oval ID: oval:org.mitre.oval:def:26141
Title: DSA-2994-1 -- nss - security update
Description: Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library.
Family: unix Class: patch
Reference(s): DSA-2994-1
CVE-2013-1741
CVE-2013-5606
CVE-2014-1491
CVE-2014-1492
 Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
 Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26168
 
Oval ID: oval:org.mitre.oval:def:26168
Title: RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low)
Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards.
Family: unix Class: patch
Reference(s): RHSA-2014:1073-00
CESA-2014:1073
CVE-2014-1492
 Version: 3
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
 Product(s): nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27251
 
Oval ID: oval:org.mitre.oval:def:27251
Title: ELSA-2014-1073 -- nss, nss-util, nss-softokn security, bug fix, and enhancement update (low)
Description: nss [3.16.2-2.0.1.el7_0] - Added nss-vendor.patch to change vendor
Family: unix Class: patch
Reference(s): ELSA-2014-1073
CVE-2014-1492
 Version: 3
Platform(s): Oracle Linux 7
 Product(s): nss
nss-softokn
nss-util
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 70

Information Assurance Vulnerability Management (IAVM)

Date Description
2014-12-11 IAVM : 2014-B-0162 - VMware vCenter Server 5.1 Certificate Validation Vulnerability
Severity : Category I - VMSKEY : V0057685
2014-12-11 IAVM : 2014-B-0159 - VMware vCenter Server Appliance 5.1 Cross-site Scripting Vulnerability
Severity : Category II - VMSKEY : V0057687
2014-12-11 IAVM : 2014-A-0191 - VMware vCenter Server 5.0 Certificate Validation Vulnerability
Severity : Category I - VMSKEY : V0057699
2014-12-11 IAVM : 2014-B-0161 - Multiple Vulnerabilities in VMware ESXi 5.1
Severity : Category I - VMSKEY : V0057717

Nessus® Vulnerability Scanner

Date Description
2016-05-18 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16716.nasl - Type : ACT_GATHER_INFO
2015-12-30 Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2014-0012_remote.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-533.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-532.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-531.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-530.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-529.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0727-1.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0665-2.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0665-1.nasl - Type : ACT_GATHER_INFO
2015-04-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-23.nasl - Type : ACT_GATHER_INFO
2015-03-19 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-059.nasl - Type : ACT_GATHER_INFO
2014-12-12 Name : The remote host has a virtualization management application installed that is...
File : vmware_vcenter_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-12 Name : The remote host has an update manager installed that is affected by multiple ...
File : vmware_vcenter_update_mgr_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-12 Name : The remote host has a virtualization appliance installed that is affected by ...
File : vmware_vcenter_server_appliance_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-12 Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO
2014-12-06 Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0979.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote host is affected by multiple vulnerabilities.
File : oracle_opensso_agent_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-09-29 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140916_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-09-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-08-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1073.nasl - Type : ACT_GATHER_INFO
2014-08-19 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1073.nasl - Type : ACT_GATHER_INFO
2014-08-19 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1073.nasl - Type : ACT_GATHER_INFO
2014-08-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2994.nasl - Type : ACT_GATHER_INFO
2014-07-31 Name : The remote host is running software with multiple vulnerabilities.
File : oracle_traffic_director_july_2014_cpu.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140722_nss_and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : A web proxy server on the remote host is affected by multiple vulnerabilities.
File : iplanet_web_proxy_4_0_24.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : glassfish_cpu_jul_2014.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : sun_java_web_server_7_0_20.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-354.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-336.nasl - Type : ACT_GATHER_INFO
2014-05-14 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-201404-140501.nasl - Type : ACT_GATHER_INFO
2014-05-03 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2014-5829.nasl - Type : ACT_GATHER_INFO
2014-04-30 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2185-1.nasl - Type : ACT_GATHER_INFO
2014-04-30 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_985d4d6ccfbd11e3a003b4b52fce4ce8.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_2_26.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_29.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_29.nasl - Type : ACT_GATHER_INFO
2014-04-03 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2159-1.nasl - Type : ACT_GATHER_INFO
2014-03-31 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-086-04.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
BID http://www.securityfocus.com/bid/66356
BUGTRAQ http://www.securityfocus.com/archive/1/534161/100/0/threaded
CONFIRM http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546....
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
https://bugzilla.redhat.com/show_bug.cgi?id=1079851
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
https://hg.mozilla.org/projects/nss/rev/709d4e597979
DEBIAN http://www.debian.org/security/2014/dsa-2994
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
FULLDISC http://seclists.org/fulldisclosure/2014/Dec/23
GENTOO https://security.gentoo.org/glsa/201504-01
SECUNIA http://secunia.com/advisories/59866
http://secunia.com/advisories/60621
http://secunia.com/advisories/60794
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
UBUNTU http://www.ubuntu.com/usn/USN-2159-1
http://www.ubuntu.com/usn/USN-2185-1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Date Informations
2021-05-04 12:30:04
  • Multiple Updates
2021-04-22 01:36:11
  • Multiple Updates
2020-05-23 01:51:10
  • Multiple Updates
2020-05-23 00:39:55
  • Multiple Updates
2018-10-10 00:19:48
  • Multiple Updates
2018-08-10 12:04:12
  • Multiple Updates
2018-01-11 12:05:39
  • Multiple Updates
2017-11-15 09:23:51
  • Multiple Updates
2017-01-07 09:25:20
  • Multiple Updates
2016-12-31 09:24:20
  • Multiple Updates
2016-12-22 09:23:35
  • Multiple Updates
2016-11-29 00:24:51
  • Multiple Updates
2016-09-09 09:23:17
  • Multiple Updates
2016-07-08 21:24:15
  • Multiple Updates
2016-06-17 09:27:28
  • Multiple Updates
2016-05-19 13:27:02
  • Multiple Updates
2016-04-27 00:14:35
  • Multiple Updates
2016-01-22 09:22:17
  • Multiple Updates
2015-05-30 13:27:34
  • Multiple Updates
2015-05-21 13:31:11
  • Multiple Updates
2015-04-22 00:25:57
  • Multiple Updates
2015-04-21 09:24:48
  • Multiple Updates
2015-04-15 09:27:48
  • Multiple Updates
2015-04-09 13:28:44
  • Multiple Updates
2015-03-27 13:28:06
  • Multiple Updates
2015-03-20 13:28:49
  • Multiple Updates
2015-01-22 17:23:04
  • Multiple Updates
2014-12-12 09:23:08
  • Multiple Updates
2014-11-08 13:31:38
  • Multiple Updates
2014-11-01 13:26:39
  • Multiple Updates
2014-10-02 13:27:13
  • Multiple Updates
2014-09-30 13:27:30
  • Multiple Updates
2014-09-19 13:27:34
  • Multiple Updates
2014-09-17 13:25:46
  • Multiple Updates
2014-08-20 13:25:57
  • Multiple Updates
2014-08-02 13:24:17
  • Multiple Updates
2014-08-01 13:25:00
  • Multiple Updates
2014-07-29 13:25:38
  • Multiple Updates
2014-07-24 13:25:27
  • Multiple Updates
2014-07-19 13:24:34
  • Multiple Updates
2014-07-18 09:22:43
  • Multiple Updates
2014-07-17 09:22:37
  • Multiple Updates
2014-06-14 13:37:03
  • Multiple Updates
2014-06-05 09:21:20
  • Multiple Updates
2014-05-31 09:21:22
  • Multiple Updates
2014-05-23 09:21:13
  • Multiple Updates
2014-05-15 13:24:08
  • Multiple Updates
2014-05-13 13:25:12
  • Multiple Updates
2014-05-10 09:23:14
  • Multiple Updates
2014-05-05 13:23:49
  • Multiple Updates
2014-05-01 13:24:41
  • Multiple Updates
2014-04-19 13:24:32
  • Multiple Updates
2014-04-04 13:22:27
  • Multiple Updates
2014-04-01 14:39:27
  • Multiple Updates
2014-03-25 21:21:32
  • First insertion