Page 7 of 43 results (0.009 seconds)

CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0

CVE-2013-5606 – nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)

https://notcve.org/view.php?id=CVE-2013-5606

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. La función CERT_VerifyCert en lib / certhigh / certvfy.c de Servicios de Seguridad de Mozilla red (NSS) 3.15 antes de 3 3.15 proporciona un valor inesperado de retorno para un certificado de clave-uso incompatible cuando el argumento CERTVerifyLog es válido, lo que podría permitir a atacantes remotos evitar restricciones de acceso destinados a través de un certificado manipulado • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00000.html http://lists.opensuse.org/opensuse-updates/2013-11/msg00080.html http://rhn.redhat.com/errata/RHSA-2013-1791.html http://rhn.redhat.com/errata/RHSA-2013-1829.html http://rhn.redhat.com/errata/RHSA-2014-0041.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www.debian.org/securi • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 11%CPEs: 20EXPL: 0

CVE-2013-1739 – nss: Avoid uninitialized data read in the event of a decryption failure

https://notcve.org/view.php?id=CVE-2013-1739

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. Mozilla Network Security Services (NSS) en versiones anteriores a 3.15.2 no asegura que las estructuras de datos estén inicializadas antes de las operaciones de lectura, lo que permite a atacantes remotos provocar una denegación de servicio o posiblemente tener otro impacto no especificado a través de vectores que desencadenan un fallo de descifrado. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00014.html http://lists.opensuse.org/opensuse-updates/2013-10/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-10/msg00016.html http://rhn.redhat.com/errata/RHSA-2013-1791.html http://rhn.redhat.com/errata/RHSA-2013-1829.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www.debia •

CVSS: 5.0EPSS: 6%CPEs: 19EXPL: 0

CVE-2013-0791 – Mozilla: Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40)

https://notcve.org/view.php?id=CVE-2013-0791

The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate. La función CERT_DecodeCertPackage en Mozilla Network Security Services (NSS), tal como se utiliza en Mozilla Firefox antes de v20.0, Firefox ESR v17.x antes v17.0.5, Thunderbird antes de v17.0.5, Thunderbird ESR v17.x antes de v17.0.5, SeaMonkey antes de v2.17, y otros productos, permite a atacantes remotos provocar una denegación de servicio (fuera del terreno de juego y lectura de corrupción de memoria) a través de un certificado manipulado. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00019.html http://rhn.redhat.com/errata/RHSA-2013-1135.html http://rhn.redhat.com/errata/RHSA-2013-1144.html http://www.mozilla.org/security • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 5.1EPSS: 0%CPEs: 25EXPL: 0

CVE-2013-1620 – nss: TLS CBC padding timing attack

https://notcve.org/view.php?id=CVE-2013-1620

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. La implementación en Mozilla Network Security Services (NSS) de TLS no tiene debidamente en cuenta tiempos de canal lateral ataques a una operación de comprobación de incumplimiento MAC durante el procesamiento de malformaciones relleno CBC, que permite a atacantes remotos para realizar ataques distintivos y los ataques de recuperación de texto plano-a través de análisis estadístico de datos de tiempo de los paquetes hechos a mano, una cuestión relacionada con CVE-2013-0169. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html http://openwall.com/lists/oss-security/2013/02/05/24 http://rhn.redhat.com/errata/RHSA-2013-1135.html http://rhn.redhat.com/errata/RHSA-2013-1144.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www. • CWE-203: Observable Discrepancy •

CVSS: 4.3EPSS: 3%CPEs: 23EXPL: 0

CVE-2011-5094

https://notcve.org/view.php?id=CVE-2011-5094

Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-1473. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment ** EN DISPUTA ** Mozilla Network Security Services (NSS) v3.x, con ciertos ajustes de la opción SSL_ENABLE_RENEGOTIATION, no restringen adecuadamente la renegociación iniciada por el cliente dentro de los protocolos SSL y TLS, lo que podría hacer más fácil para los atacantes remotos causar una denegación de servicio (consumo de CPU) mediante la realización de las renegociaciones de muchos dentro de una sola conexión, una vulnerabilidad diferente a CVE-2011-1473. NOTA: también se puede argumentar que es la responsabilidad de las implementaciones de servidores, no una biblioteca de seguridad, para prevenir o limitar la renegociación cuando es inapropiado dentro de un entorno específico. • http://orchilles.com/2011/03/ssl-renegotiation-dos.html http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html http://www.ietf.org/mail-archive/web/tls/current/msg07553.html http://www.ietf.org/mail-archive/web/tls/current/msg07564.html http://www.ietf.org/mail-archive/web/tls/current/msg07567.html http://www.ietf.org/mail-archive/web/tls/current/msg07576.html http://www.ietf.org/mail- •