CVE-2014-1569

2014-12-1500:00:00

ubuntu.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.039 Low

EPSS

Percentile

91.8%

JSON

The definite_length_decoder function in lib/util/quickder.c in Mozilla
Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3
does not ensure that the DER encoding of an ASN.1 length is properly
formed, which allows remote attackers to conduct data-smuggling attacks by
using a long byte sequence for an encoding, as demonstrated by the
SEC_QuickDERDecodeItem function’s improper handling of an arbitrary-length
encoding of 0x00.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchnss< 3.17.1-0ubuntu0.10.04.2UNKNOWN
ubuntu12.04noarchnss< 3.17.1-0ubuntu0.12.04.2UNKNOWN
ubuntu14.04noarchnss< 2:3.17.1-0ubuntu0.14.04.2UNKNOWN
ubuntu14.10noarchnss< 2:3.17.1-0ubuntu1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	nss	< 3.17.1-0ubuntu0.10.04.2	UNKNOWN
ubuntu	12.04	noarch	nss	< 3.17.1-0ubuntu0.12.04.2	UNKNOWN
ubuntu	14.04	noarch	nss	< 2:3.17.1-0ubuntu0.14.04.2	UNKNOWN
ubuntu	14.10	noarch	nss	< 2:3.17.1-0ubuntu1.1	UNKNOWN