CVE-2016-9574

SUSE Security Advisory - SUSE-SU-2017:1175-1

Severity Score

5.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

nss before version 3.30 is vulnerable to a remote denial of service during the session handshake when using SessionTicket extension and ECDHE-ECDSA.

nss en versiones anteriores a la 3.30 es vulnerable a una denegación de servicio (DoS) remota durante el handshake de sesión al emplear la extensión SessionTicket y ECDHE-ECDSA.

An update that fixes 29 vulnerabilities is now available. Mozilla Firefox was updated to the Firefox ESR release 45.9. Mozilla NSS was updated to support TLS 1.3 and various new ciphers, PRFs, Diffie Hellman key agreement and support for more hashes. Security issues fixed in Firefox code Firefox ESR 45.9, and Firefox ESR 52.1 XSLT processing processing Graphite 2 in the editor manipulation are sent with incorrect data application/http-index-format content application/http-index-format content destructor during XSLT processing events Mozilla NSS was updated to 3.29.5, bringing new features and fixing bugs.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-11-23 CVE Reserved
2017-05-03 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-325: Missing Cryptographic Step
CWE-384: Session Fixation

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://bugzilla.mozilla.org/show_bug.cgi?id=1320695	2024-08-06
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9574	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"		Network Security Services Search vendor "Mozilla" for product "Network Security Services"				< 3.30 Search vendor "Mozilla" for product "Network Security Services" and version " < 3.30"		-		Affected