CVE-2022-3479

Gentoo Linux Security Advisory 202212-05

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.

Una vulnerabilidad encontrada en nss. Por esta vulnerabilidad de seguridad, el cliente nss es bloqueado sin un certificado de usuario en la base de datos y esto puede conllevar a un fallo de segmentación o un bloqueo

It was discovered that NSS incorrectly handled client authentication without a user certificate in the database. A remote attacker could possibly use this issue to cause a NSS client to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. Christian Holler discovered that NSS incorrectly handled certain PKCS 12 certificated bundles. A remote attacker could use this issue to cause NSS to crash, leading to a denial of service, or possibly execute arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-10-13 CVE Reserved
2022-10-14 CVE Published
2024-11-20 CVE Updated
2025-08-10 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://bugzilla.redhat.com/show_bug.cgi?id=2134331	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://bugzilla.mozilla.org/show_bug.cgi?id=1774654	2024-02-23

URL	Date	SRC
https://security.gentoo.org/glsa/202212-05	2024-02-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mozilla Search vendor "Mozilla"		Network Security Services Search vendor "Mozilla" for product "Network Security Services"				>= 3.77 < 3.87 Search vendor "Mozilla" for product "Network Security Services" and version " >= 3.77 < 3.87"		-		Affected