CVE-2014-1492

CVSS V2 Medium 4.3 CVSS V3 None
Description
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Overview
  • CVE ID
  • CVE-2014-1492
  • Assigner
  • security@mozilla.org
  • Vulnerability Status
  • Modified
  • Published Version
  • 2014-03-25T13:25:38
  • Last Modified Date
  • 2018-10-09T19:42:51
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* 1 OR 3.15.5
cpe:2.3:a:mozilla:network_security_services:3.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.2.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.3.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.4.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.6.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.7.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.7.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.7.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.7.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.7.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.11.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.3.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.6:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.7:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.8:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.9:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.12.11:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.14:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.14.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.14.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.14.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.14.4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.14.5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.15:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.15.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.15.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.15.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.15.3.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.15.4:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
References
Reference URL Reference Tags
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
https://bugzilla.redhat.com/show_bug.cgi?id=1079851
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
https://hg.mozilla.org/projects/nss/rev/709d4e597979 Exploit Patch
http://www.ubuntu.com/usn/USN-2159-1
http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-May/132437.html
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00006.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-05/msg00033.html
http://www.ubuntu.com/usn/USN-2185-1
http://lists.opensuse.org/opensuse-security-announce/2014-05/msg00015.html
http://secunia.com/advisories/59866
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://www.debian.org/security/2014/dsa-2994
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/66356
https://security.gentoo.org/glsa/201504-01
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
http://secunia.com/advisories/60794
http://secunia.com/advisories/60621
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
History
Created Old Value New Value Data Type Notes
2022-05-10 18:35:17 Added to TrackCVE
2022-12-01 22:26:33 2014-03-25T13:25Z 2014-03-25T13:25:38 CVE Published Date updated
2022-12-01 22:26:33 2018-10-09T19:42:51 CVE Modified Date updated
2022-12-01 22:26:33 Modified Vulnerability Status updated