CVE-2013-5606
nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.
La función CERT_VerifyCert en lib / certhigh / certvfy.c de Servicios de Seguridad de Mozilla red (NSS) 3.15 antes de 3 3.15 proporciona un valor inesperado de retorno para un certificado de clave-uso incompatible cuando el argumento CERTVerifyLog es válido, lo que podría permitir a atacantes remotos evitar restricciones de acceso destinados a través de un certificado manipulado
The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. Upgrade Note: If you upgrade Red Hat Enterprise Virtualization Hypervisor 6.4 to version 6.5 through the 3.3 Manager administration portal, configuration of the previous system appears to be lost when reported in the TUI. However, this is an issue in the TUI itself, not in the upgrade process; the configuration of the system is not affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-08-26 CVE Reserved
- 2013-11-16 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (24)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00000.html | 2018-10-09 | |
| http://lists.opensuse.org/opensuse-updates/2013-11/msg00080.html | 2018-10-09 | |
| http://rhn.redhat.com/errata/RHSA-2013-1791.html | 2018-10-09 | |
| http://rhn.redhat.com/errata/RHSA-2013-1829.html | 2018-10-09 | |
| http://rhn.redhat.com/errata/RHSA-2014-0041.html | 2018-10-09 | |
| http://security.gentoo.org/glsa/glsa-201406-19.xml | 2018-10-09 | |
| http://www.debian.org/security/2014/dsa-2994 | 2018-10-09 | |
| http://www.ubuntu.com/usn/USN-2030-1 | 2018-10-09 | |
| https://security.gentoo.org/glsa/201504-01 | 2018-10-09 | |
| https://access.redhat.com/security/cve/CVE-2013-5606 | 2014-01-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1031457 | 2014-01-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.15 Search vendor "Mozilla" for product "Network Security Services" and version "3.15" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.15.1 Search vendor "Mozilla" for product "Network Security Services" and version "3.15.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Network Security Services Search vendor "Mozilla" for product "Network Security Services" | 3.15.2 Search vendor "Mozilla" for product "Network Security Services" and version "3.15.2" | - |
Affected
| ||||||