CVE-2017-7502

CVSS V2 Medium 5 CVSS V3 High 7.5
Description
Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker.
Overview
  • CVE ID
  • CVE-2017-7502
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2017-05-30T18:29:00
  • Last Modified Date
  • 2023-02-12T23:30:14
Weakness Enumerations
CWE URL
CWE-476 http://cwe.mitre.org/data/definitions/476.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mozilla:network_security_services:3.24.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.25.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.25.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.26.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.26.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.27.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.27.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.27.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.28.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.28.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.28.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.28.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.29.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.29.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.29.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.29.3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.30.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:network_security_services:3.30.1:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:N/A:P
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • NONE
  • Availability Impact
  • PARTIAL
  • Base Score
  • 5
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.0
  • Vector String
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • NONE
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • NONE
  • Availability Impact
  • HIGH
  • Base Score
  • 7.5
  • Base Severity
  • HIGH
  • Exploitability Score
  • 3.9
  • Impact Score
  • 3.6
References
Reference URL Reference Tags
http://www.debian.org/security/2017/dsa-3872
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/bid/98744 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038579
https://access.redhat.com/errata/RHSA-2017:1364
https://access.redhat.com/errata/RHSA-2017:1365
https://access.redhat.com/errata/RHSA-2017:1567
https://access.redhat.com/errata/RHSA-2017:1712
https://access.redhat.com/security/cve/CVE-2017-7502
https://bugzilla.redhat.com/show_bug.cgi?id=1446631
https://hg.mozilla.org/projects/nss/rev/55ea60effd0d Patch
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2017-7502
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7502
History
Created Old Value New Value Data Type Notes
2022-05-10 18:51:27 Added to TrackCVE
2022-12-02 17:22:23 2017-05-30T18:29Z 2017-05-30T18:29:00 CVE Published Date updated
2022-12-02 17:22:23 2018-01-05T02:31:51 CVE Modified Date updated
2022-12-02 17:22:23 Modified Vulnerability Status updated
2023-02-02 17:06:24 2023-02-02T15:17:23 CVE Modified Date updated
2023-02-02 17:06:24 Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker. A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. Description updated
2023-02-02 17:06:25 References updated
2023-02-13 01:07:00 2023-02-12T23:30:14 CVE Modified Date updated
2023-02-13 01:07:00 A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by remote attacker. Description updated