Lucene search

K

Veracode Vulnerability DatabaseVERACODE:11433

HistoryJan 15, 2019 - 9:01 a.m.

Spoofable RSA Signatures

2019-01-1509:01:59

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

nss is vulnerable to spoofable RSA signature attacks. The vulnerability exists as Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a “signature malleability” issue.

CPENameOperatorVersion
nsseq3.15.1__15.el6
nsseq3.12.8__1.el6_0
nsseq3.12.2.0__4.el4
nsseq3.12.2.0__1.el4
nsseq3.15.3__3.el6_5
nsseq3.13.6__3.el5_9
nsseq3.12.10__4.el5_7
nsseq3.12.6__1.el4_8
nsseq3.14.0.0__12.el6
nsseq3.12.1.1__3.el5

Rows per page:

1-10 of 881

References

googlechromereleases.blogspot.com/2014/09/stable-channel-update-for-chrome-os_24.html

googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html

kb.juniper.net/InfoCenter/index?page=content&id=JSA10698

kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

lists.opensuse.org/opensuse-security-announce/2014-09/msg00032.html

lists.opensuse.org/opensuse-security-announce/2014-09/msg00036.html

lists.opensuse.org/opensuse-security-announce/2014-09/msg00039.html

rhn.redhat.com/errata/RHSA-2014-1307.html

rhn.redhat.com/errata/RHSA-2014-1354.html

rhn.redhat.com/errata/RHSA-2014-1371.html

secunia.com/advisories/61540

secunia.com/advisories/61574

secunia.com/advisories/61575

secunia.com/advisories/61576

secunia.com/advisories/61583

www.debian.org/security/2014/dsa-3033

www.debian.org/security/2014/dsa-3034

www.debian.org/security/2014/dsa-3037

www.kb.cert.org/vuls/id/772676

www.mozilla.org/security/announce/2014/mfsa2014-73.html

www.novell.com/support/kb/doc.php?id=7015701

www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

www.securityfocus.com/bid/70116

www.ubuntu.com/usn/USN-2360-1

www.ubuntu.com/usn/USN-2360-2

www.ubuntu.com/usn/USN-2361-1

access.redhat.com/security/updates/classification/#important

bugzilla.mozilla.org/show_bug.cgi?id=1064636

bugzilla.mozilla.org/show_bug.cgi?id=1069405

exchange.xforce.ibmcloud.com/vulnerabilities/96194

rhn.redhat.com/errata/RHSA-2014-1307.html

security.gentoo.org/glsa/201504-01

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P